[jira] [Commented] (HADOOP-12234) Web UI Framable Page

Thu, 21 Apr 2016 05:32:16 -0700 

    [ 
https://issues.apache.org/jira/browse/HADOOP-12234?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15251816#comment-15251816
 ] 

Larry McCay commented on HADOOP-12234:
--------------------------------------

This is an issue that has come up for our users and I just spent a few days 
duplicating this work in https://issues.apache.org/jira/browse/HADOOP-13008. 

Can someone tell me why this patch has stalled?

A couple comments on the differences between the two implementations:

1. package of the class - mine is in the same package as CrossOriginFilter and 
RestCsrfPrevenetionFilter: org.apache.hadoop.security.http. I think that it 
makes sense to keep these web app security filters together. I don't really 
care for the "lib" in this package name but maybe this is an existing pattern 
in hadoop elsewhere?
2. configuration prefixes - in order to accommodate some ability for some 
components to override a global setting, I proposed the use of separate 
prefixes. A global one that would be used if a component specific one was not 
found. See the JIRA for comments around that.
3. filter initializer - it seems that this implementation has its own filter 
initializer where HADOOP-13008 introduces the filter and would rely on 
integration specific initializers which would be able to interrogate the 
prefixed configuration for each integration point.

I think that we should determine which implementation should be resolved as 
duplicate based on the sense of which one is closer to what we need and 
adjusting to accommodate the other. I don't have any problem discarding 
HADOOP-13008 but let's discuss here.

I would like to get this feature in as soon as we possibly can in order to 
address the needs and concerns of our customers/users.

> Web UI Framable Page
> --------------------
>
>                 Key: HADOOP-12234
>                 URL: https://issues.apache.org/jira/browse/HADOOP-12234
>             Project: Hadoop Common
>          Issue Type: Bug
>            Reporter: Appy
>            Assignee: Appy
>         Attachments: HADOOP-12234-v2-master.patch, 
> HADOOP-12234-v3-master.patch, HADOOP-12234.patch
>
>
> The web UIs do not include the "X-Frame-Options" header to prevent the pages 
> from being framed from another site.  
> Reference:
> https://www.owasp.org/index.php/Clickjacking
> https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet
> https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to