This is an automated email from the ASF dual-hosted git repository.

dongjoon-hyun pushed a commit to branch branch-4.x
in repository https://gitbox.apache.org/repos/asf/spark.git


The following commit(s) were added to refs/heads/branch-4.x by this push:
     new a61801083e90 [SPARK-58054][CORE] Enable 
`spark.ui.contentSecurityPolicy.enabled` by default
a61801083e90 is described below

commit a61801083e90fb7e4c28827dc76baa8082ea93c8
Author: Dongjoon Hyun <[email protected]>
AuthorDate: Wed Jul 8 19:29:33 2026 -0700

    [SPARK-58054][CORE] Enable `spark.ui.contentSecurityPolicy.enabled` by 
default
    
    ### What changes were proposed in this pull request?
    
    This PR aims to enable `spark.ui.contentSecurityPolicy.enabled` by default 
from Apache Spark 4.3.0.
    
    ### Why are the changes needed?
    
    The `Content-Security-Policy` (CSP) header provides defense-in-depth 
against XSS on the Spark UI. All UI pages already emit CSP nonces for their 
inline scripts, so enabling it by default hardens the Web UI out of the box.
    
    ### Does this PR introduce _any_ user-facing change?
    
    Yes, the Spark UI sets the `Content-Security-Policy` header by default. To 
restore the previous behavior, set `spark.ui.contentSecurityPolicy.enabled` to 
`false`.
    
    ### How was this patch tested?
    
    Pass the CIs.
    
    ### Was this patch authored or co-authored using generative AI tooling?
    
    Generated-by: Claude Fable 5
    
    Closes #57144 from dongjoon-hyun/SPARK-58054.
    
    Authored-by: Dongjoon Hyun <[email protected]>
    Signed-off-by: Dongjoon Hyun <[email protected]>
    (cherry picked from commit 88359ec4770b42ac94794f494bf427447e3aabab)
    Signed-off-by: Dongjoon Hyun <[email protected]>
---
 core/src/main/scala/org/apache/spark/internal/config/UI.scala       | 2 +-
 .../test/scala/org/apache/spark/ui/HttpSecurityFilterSuite.scala    | 3 ++-
 docs/core-migration-guide.md                                        | 6 ++++--
 docs/security.md                                                    | 2 +-
 4 files changed, 8 insertions(+), 5 deletions(-)

diff --git a/core/src/main/scala/org/apache/spark/internal/config/UI.scala 
b/core/src/main/scala/org/apache/spark/internal/config/UI.scala
index 7a222247f311..65f26e9ca279 100644
--- a/core/src/main/scala/org/apache/spark/internal/config/UI.scala
+++ b/core/src/main/scala/org/apache/spark/internal/config/UI.scala
@@ -147,7 +147,7 @@ private[spark] object UI {
       .version("4.2.0")
       .withBindingPolicy(ConfigBindingPolicy.NOT_APPLICABLE)
       .booleanConf
-      .createWithDefault(false)
+      .createWithDefault(true)
 
   val UI_CONTENT_SECURITY_POLICY_FRAME_ANCESTORS_ENABLED =
     ConfigBuilder("spark.ui.contentSecurityPolicy.frameAncestors.enabled")
diff --git 
a/core/src/test/scala/org/apache/spark/ui/HttpSecurityFilterSuite.scala 
b/core/src/test/scala/org/apache/spark/ui/HttpSecurityFilterSuite.scala
index 16c170fa2736..91fbd6f72b66 100644
--- a/core/src/test/scala/org/apache/spark/ui/HttpSecurityFilterSuite.scala
+++ b/core/src/test/scala/org/apache/spark/ui/HttpSecurityFilterSuite.scala
@@ -155,6 +155,7 @@ class HttpSecurityFilterSuite extends SparkFunSuite {
 
   test("no CSP header when CSP is disabled regardless of frameAncestors 
setting") {
     val conf = new SparkConf(false)
+      .set(UI_CONTENT_SECURITY_POLICY_ENABLED, false)
     val secMgr = new SecurityManager(conf)
     val req = mockRequest()
     val res = mock(classOf[HttpServletResponse])
@@ -163,7 +164,7 @@ class HttpSecurityFilterSuite extends SparkFunSuite {
     val filter = new HttpSecurityFilter(conf, secMgr)
     filter.doFilter(req, res, chain)
 
-    // CSP is disabled by default, so no CSP header should be emitted
+    // CSP is disabled explicitly, so no CSP header should be emitted
     verify(res, times(0)).setHeader(meq("Content-Security-Policy"), any())
   }
 
diff --git a/docs/core-migration-guide.md b/docs/core-migration-guide.md
index 5fdd0fcf6088..e80d04238ca0 100644
--- a/docs/core-migration-guide.md
+++ b/docs/core-migration-guide.md
@@ -30,9 +30,11 @@ license: |
 
 - Since Spark 4.3, Spark sets `allowPrivilegeEscalation` to `false` on the 
driver and executor containers' security context by default. To restore the 
legacy behavior, you can set 
`spark.kubernetes.securityContext.allowPrivilegeEscalation` to `true`.
 
-- Since Spark 4.3, the default value of `spark.ui.xXssProtection` has been 
changed from `1; mode=block` to `0`. The XSS Auditor has been removed from 
Chrome and Edge, and was never implemented in Firefox. It can introduce 
side-channel vulnerabilities in browsers that still support it (Safari). To 
restore the legacy behavior, you can set `spark.ui.xXssProtection` to `1; 
mode=block`. For modern XSS protection, consider enabling 
`spark.ui.contentSecurityPolicy.enabled`.
+- Since Spark 4.3, Spark sets the HTTP `Content-Security-Policy` (CSP) 
response header for the Spark UI by default, restricting the sources from which 
the browser is allowed to load resources. To restore the legacy behavior, you 
can set `spark.ui.contentSecurityPolicy.enabled` to `false`.
 
-- Since Spark 4.3, `spark.ui.allowFramingFrom` now uses CSP `frame-ancestors` 
instead of the deprecated `X-Frame-Options: ALLOW-FROM` (which was ignored by 
all modern browsers). This setting only takes effect when 
`spark.ui.contentSecurityPolicy.enabled=true`. When CSP is disabled (the 
default), `X-Frame-Options: SAMEORIGIN` is always used regardless of the 
`allowFramingFrom` value. To allow framing from a specific origin, set both 
`spark.ui.contentSecurityPolicy.enabled=true` and `spark [...]
+- Since Spark 4.3, the default value of `spark.ui.xXssProtection` has been 
changed from `1; mode=block` to `0`. The XSS Auditor has been removed from 
Chrome and Edge, and was never implemented in Firefox. It can introduce 
side-channel vulnerabilities in browsers that still support it (Safari). To 
restore the legacy behavior, you can set `spark.ui.xXssProtection` to `1; 
mode=block`.
+
+- Since Spark 4.3, `spark.ui.allowFramingFrom` now uses CSP `frame-ancestors` 
instead of the deprecated `X-Frame-Options: ALLOW-FROM` (which was ignored by 
all modern browsers). This setting only takes effect when 
`spark.ui.contentSecurityPolicy.enabled=true` (the default). When CSP is 
disabled, `X-Frame-Options: SAMEORIGIN` is always used regardless of the 
`allowFramingFrom` value.
 
 ## Upgrading from Core 4.1 to 4.2
 
diff --git a/docs/security.md b/docs/security.md
index 4691e339480d..7c0d1b08875e 100644
--- a/docs/security.md
+++ b/docs/security.md
@@ -813,7 +813,7 @@ Security.
 </tr>
 <tr>
   <td><code>spark.ui.contentSecurityPolicy.enabled</code></td>
-  <td><code>false</code></td>
+  <td><code>true</code></td>
   <td>
     When enabled, the Content-Security-Policy (CSP) HTTP response header is 
set for the Spark UI,
     restricting the sources from which the browser is allowed to load 
resources as a


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to