[
https://issues.apache.org/jira/browse/HADOOP-12234?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15089358#comment-15089358
]
Steve Loughran commented on HADOOP-12234:
-----------------------------------------
reviewing this, I am pleased to see that we don't need to care about IE7 any
more. Which is good, as nobody was going to test it anyway.
a filter in hadoop-common seems the best place for it. The main issue is: what
turns it on and where? I'm with Haohui here: make it something projects
explicitly turn on/off if they choose. HDFS's needs "part of a management
console" are different from a YARN app where that's not a perceived use case.
On that topic, we'd probably recommend that YARN apps use it too, wouldn't we?
Or at least have the RM proxy add it when filtering requests, which would give
it to the apps automatically.
> Web UI Framable Page
> --------------------
>
> Key: HADOOP-12234
> URL: https://issues.apache.org/jira/browse/HADOOP-12234
> Project: Hadoop Common
> Issue Type: Bug
> Reporter: Appy
> Assignee: Appy
> Attachments: HADOOP-12234-v2-master.patch,
> HADOOP-12234-v3-master.patch, HADOOP-12234.patch
>
>
> The web UIs do not include the "X-Frame-Options" header to prevent the pages
> from being framed from another site.
> Reference:
> https://www.owasp.org/index.php/Clickjacking
> https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet
> https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
