hadoop-yarn-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Vrushali C (JIRA)" <j...@apache.org>
Subject [jira] [Created] (YARN-7338) Support same origin policy for cross site scripting prevention.
Date Mon, 16 Oct 2017 22:19:00 GMT
Vrushali C created YARN-7338:
--------------------------------

             Summary: Support same origin policy for cross site scripting prevention.
                 Key: YARN-7338
                 URL: https://issues.apache.org/jira/browse/YARN-7338
             Project: Hadoop YARN
          Issue Type: Sub-task
          Components: yarn-ui-v2
            Reporter: Vrushali C



Opening jira as suggested b [~eyang] on the thread for merging YARN-3368 (new web UI) to branch2
 http://mail-archives.apache.org/mod_mbox/hadoop-yarn-dev/201610.mbox/%3CCAD++eCmVVQNZQz9YnkVKcXaCzdkg50YiOFxktgk3mMMs9sHmUA@mail.gmail.com%3E

----------
Ui2 does not seem to support same origin policy for cross site scripting prevention.
The following parameters has no effect for /ui2:

hadoop.http.cross-origin.enabled = true
yarn.resourcemanager.webapp.cross-origin.enabled = true

This is because ui2 is designed as a separate web application.  WebFilters setup for existing
resource manager doesn’t apply to the new web application.
Please open JIRA to track the security issue and resolve the problem prior to backporting
this to branch-2.
This would minimize the risk to open up security hole in branch-2.

----------



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-dev-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-dev-help@hadoop.apache.org


Mime
View raw message