hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Larry McCay (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-13008) Add XFS Filter for UIs to Hadoop Common
Date Wed, 18 May 2016 16:51:13 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-13008?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15289297#comment-15289297

Larry McCay commented on HADOOP-13008:

[~vvasudev] - Thank you for bring this to my attention!

This effort was certainly not intended to duplicate any other work - in fact, I went to some
length to make sure that I didn't do so with HADOOP-12234.

I was unaware of the inner QuotingInputFilter class within HttpServer2 or the fact that it
also adds X-Frame-Options.

The fact that it is baked into the HttpServer2 class rather than commonly available for anyone
to use and that it doesn't separate the responsibility for XFS make that filter less reusable
by the overall ecosystem.

My inclination is to refactor the functionality in QuotingIinputFilter out into a generic
XSS filter that can be reused by others and to integrate with it and the common XFS filter
rather than relying on HttpServer2 specific filters.


> Add XFS Filter for UIs to Hadoop Common
> ---------------------------------------
>                 Key: HADOOP-13008
>                 URL: https://issues.apache.org/jira/browse/HADOOP-13008
>             Project: Hadoop Common
>          Issue Type: New Feature
>          Components: security
>            Reporter: Larry McCay
>            Assignee: Larry McCay
>             Fix For: 2.8.0
>         Attachments: HADOOP-13008-001.patch, HADOOP-13008-002.patch, HADOOP-13008-003.patch,
> Cross Frame Scripting (XFS) prevention for UIs can be provided through a common servlet
filter. This filter will set the X-Frame-Options HTTP header to DENY unless configured to
another valid setting.
> There are a number of UIs that could just add this to their filters as well as the Yarn
webapp proxy which could add it for all it's proxied UIs - if appropriate.

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org

View raw message