[
https://issues.apache.org/jira/browse/HADOOP-12964?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15237857#comment-15237857
]
Robert Kanter commented on HADOOP-12964:
----------------------------------------
+1 pending Jenkins
I'm not sure what happened to Jenkins on the 003 patch. I've just kicked it
off.
> Http server vulnerable to clickjacking
> ---------------------------------------
>
> Key: HADOOP-12964
> URL: https://issues.apache.org/jira/browse/HADOOP-12964
> Project: Hadoop Common
> Issue Type: Bug
> Reporter: Haibo Chen
> Assignee: Haibo Chen
> Attachments: hadoop-12964.001.patch, hadoop-12964.002.patch,
> hadoop-12964.003.patch
>
>
> Nessus report shows a medium level issue that "Web Application Potentially
> Vulnerable to Clickjacking" with the description as follows:
> "The remote web server does not set an X-Frame-Options response header in all
> content responses. This could potentially expose the site to a clickjacking
> or UI Redress attack wherein an attacker can trick a user into clicking an
> area of the vulnerable page that is different than what the user perceives
> the page to be. This can result in a user performing fraudulent or malicious
> transactions"
> We could add X-Frame-Options, supported in all major browsers, in the Http
> response header to mitigate the issue.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
