[jira] [Updated] (HADOOP-12964) Http server vulnerable to clickjacking

[Haibo Chen (JIRA)]

     [ 
https://issues.apache.org/jira/browse/HADOOP-12964?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Haibo Chen updated HADOOP-12964:
--------------------------------
    Description: 
Nessus report shows a medium level issue that "Web Application Potentially 
Vulnerable to Clickjacking" with the description as follows:

"The remote web server does not set an X-Frame-Options response header in all 
content responses. This could potentially expose the site to a clickjacking or 
UI Redress attack wherein an attacker can trick a user into clicking an area of 
the vulnerable page that is different than what the user perceives the page to 
be. This can result in a user performing fraudulent or malicious transactions"

We could add X-Frame-Options, supported in all major browsers, in the Http 
response header to mitigate the issue.

  was:
Nessus report shows a medium level issue that "Web Application Potentially 
Vulnerable to Clickjacking" with the description "The remote web server does 
not set an X-Frame-Options response header in all content responses. This could 
potentially expose the site to a clickjacking or UI Redress attack wherein an 
attacker can trick a user into clicking an area of the vulnerable page that is 
different than what the user perceives the page to be. This can result in a 
user performing fraudulent or malicious transactions"

We could add X-Frame-Options, supported in all major browsers, in the Http 
response header to mitigate the issue.


> Http server vulnerable to clickjacking 
> ---------------------------------------
>
>                 Key: HADOOP-12964
>                 URL: https://issues.apache.org/jira/browse/HADOOP-12964
>             Project: Hadoop Common
>          Issue Type: Bug
>            Reporter: Haibo Chen
>            Assignee: Haibo Chen
>
> Nessus report shows a medium level issue that "Web Application Potentially 
> Vulnerable to Clickjacking" with the description as follows:
> "The remote web server does not set an X-Frame-Options response header in all 
> content responses. This could potentially expose the site to a clickjacking 
> or UI Redress attack wherein an attacker can trick a user into clicking an 
> area of the vulnerable page that is different than what the user perceives 
> the page to be. This can result in a user performing fraudulent or malicious 
> transactions"
> We could add X-Frame-Options, supported in all major browsers, in the Http 
> response header to mitigate the issue.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)