[ZEPPELIN-2765] Configurable X-FRAME-OPTIONS for Zeppelin ### What is this PR for? The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame> or <iframe>. Sites can use this to avoid Clickjacking attacks, by ensuring that their content is not embedded into other sites. Set the X-Frame-Options header for all responses containing HTML content. The possible values are "DENY", "SAMEORIGIN", or "ALLOW-FROM uri"
### What type of PR is it? [Bug Fix | Improvement ] ### What is the Jira issue? * [ZEPPELIN-2765](https://issues.apache.org/jira/browse/ZEPPELIN-2765) ### How should this be tested? The application (Zeppelin) loads in iframe. Put below code in a html file and open in browser: <iframe src="{http_proto}://{zeppelin_host}:{zeppelin_port}/#/" width="100%" height="600"></iframe> Author: krishna-pandey <[email protected]> Closes #2482 from krishna-pandey/ZEPPELIN-2765 and squashes the following commits: 948d9c0e9 [krishna-pandey] Removed hyphen from the value 518f1a4a2 [krishna-pandey] Configurable X-FRAME-OPTIONS for Zeppelin Project: http://git-wip-us.apache.org/repos/asf/zeppelin/repo Commit: http://git-wip-us.apache.org/repos/asf/zeppelin/commit/d2907b5c Tree: http://git-wip-us.apache.org/repos/asf/zeppelin/tree/d2907b5c Diff: http://git-wip-us.apache.org/repos/asf/zeppelin/diff/d2907b5c Branch: refs/heads/branch-0.7 Commit: d2907b5c14adeb9d626cec54ca10ea4d82fa73c2 Parents: fc02cdb Author: krishna-pandey <[email protected]> Authored: Wed Jul 12 11:30:58 2017 +0530 Committer: Prabhjyot Singh <[email protected]> Committed: Tue Aug 15 11:08:34 2017 -0700 ---------------------------------------------------------------------- conf/zeppelin-site.xml.template | 7 +++++++ .../src/main/java/org/apache/zeppelin/server/CorsFilter.java | 1 + .../java/org/apache/zeppelin/conf/ZeppelinConfiguration.java | 7 +++++++ 3 files changed, 15 insertions(+) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/zeppelin/blob/d2907b5c/conf/zeppelin-site.xml.template ---------------------------------------------------------------------- diff --git a/conf/zeppelin-site.xml.template b/conf/zeppelin-site.xml.template index 85341c3..c7c878b 100755 --- a/conf/zeppelin-site.xml.template +++ b/conf/zeppelin-site.xml.template @@ -335,5 +335,12 @@ <description>Hardcoding Application Server name to Prevent Fingerprinting</description> </property> --> +<!-- +<property> + <name>zeppelin.server.xframe.options</name> + <value>SAMEORIGIN</value> + <description>The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a frame/iframe/object.</description> +</property> +--> </configuration> http://git-wip-us.apache.org/repos/asf/zeppelin/blob/d2907b5c/zeppelin-server/src/main/java/org/apache/zeppelin/server/CorsFilter.java ---------------------------------------------------------------------- diff --git a/zeppelin-server/src/main/java/org/apache/zeppelin/server/CorsFilter.java b/zeppelin-server/src/main/java/org/apache/zeppelin/server/CorsFilter.java index 3fccf1f..d29af7b 100644 --- a/zeppelin-server/src/main/java/org/apache/zeppelin/server/CorsFilter.java +++ b/zeppelin-server/src/main/java/org/apache/zeppelin/server/CorsFilter.java @@ -80,6 +80,7 @@ public class CorsFilter implements Filter { DateFormat fullDateFormatEN = DateFormat.getDateTimeInstance(DateFormat.FULL, DateFormat.FULL, new Locale("EN", "en")); response.addHeader("Date", fullDateFormatEN.format(new Date())); + response.addHeader("X-FRAME-OPTIONS", ZeppelinConfiguration.create().getXFrameOptions()); } @Override http://git-wip-us.apache.org/repos/asf/zeppelin/blob/d2907b5c/zeppelin-zengine/src/main/java/org/apache/zeppelin/conf/ZeppelinConfiguration.java ---------------------------------------------------------------------- diff --git a/zeppelin-zengine/src/main/java/org/apache/zeppelin/conf/ZeppelinConfiguration.java b/zeppelin-zengine/src/main/java/org/apache/zeppelin/conf/ZeppelinConfiguration.java index 97ad60d..d2bb648 100644 --- a/zeppelin-zengine/src/main/java/org/apache/zeppelin/conf/ZeppelinConfiguration.java +++ b/zeppelin-zengine/src/main/java/org/apache/zeppelin/conf/ZeppelinConfiguration.java @@ -479,6 +479,12 @@ public class ZeppelinConfiguration extends XMLConfiguration { return getString(ConfVars.ZEPPELIN_SERVER_JETTY_NAME); } + + public String getXFrameOptions() { + return getString(ConfVars.ZEPPELIN_SERVER_XFRAME_OPTIONS); + } + + public Map<String, String> dumpConfigurations(ZeppelinConfiguration conf, ConfigurationKeyPredicate predicate) { Map<String, String> configurations = new HashMap<>(); @@ -622,6 +628,7 @@ public class ZeppelinConfiguration extends XMLConfiguration { ZEPPELIN_CREDENTIALS_PERSIST("zeppelin.credentials.persist", true), ZEPPELIN_WEBSOCKET_MAX_TEXT_MESSAGE_SIZE("zeppelin.websocket.max.text.message.size", "1024000"), ZEPPELIN_SERVER_DEFAULT_DIR_ALLOWED("zeppelin.server.default.dir.allowed", false), + ZEPPELIN_SERVER_XFRAME_OPTIONS("zeppelin.server.xframe.options", "SAMEORIGIN"), ZEPPELIN_SERVER_JETTY_NAME("zeppelin.server.jetty.name", null); private String varName;
