You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@impala.apache.org by "Tamas Mate (Jira)" <ji...@apache.org> on 2020/10/01 08:37:00 UTC

[jira] [Created] (IMPALA-10201) WebUI CSP best practice

Tamas Mate created IMPALA-10201:
-----------------------------------

             Summary: WebUI CSP best practice
                 Key: IMPALA-10201
                 URL: https://issues.apache.org/jira/browse/IMPALA-10201
             Project: IMPALA
          Issue Type: Improvement
    Affects Versions: Impala 4.0
            Reporter: Tamas Mate


The Debug WebUI currently supports only the {{X-Frame-Options}} header, which is necessary due to backward compatibility, however in the future it will be replaced by the Content Security Policy’s {{frame-ancestors}} directive:
{quote}Content Security Policy’s frame-ancestors directive obsoletes the X-Frame-Options header. If a resource has both policies, the frame-ancestors policy SHOULD be enforced and the X-Frame-Options policy SHOULD be ignored [[w3.org]|https://www.w3.org/TR/CSP2/#frame-ancestors-and-frame-options].
{quote}
{quote}As described in Section 2.3.2.2, not all browsers implement X-Frame-Options in exactly the same way, which can lead to unintended results. And, given that the "X-" construction is deprecated [RFC6648], the X-Frame-Options header field will be replaced in the future by the Frame-Options directive in the Content Security Policy (CSP) version 1.1 [CSP-1-1]. [[RFC 7034]|https://www.ietf.org/rfc/rfc7034.txt]
{quote}
CSP's {{frame-ancestor}} header should be implemented to adhere the current security best practices and depending on a deprecated feature in the future.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)