[
https://issues.apache.org/jira/browse/HADOOP-13008?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15272793#comment-15272793
]
Chris Nauroth commented on HADOOP-13008:
----------------------------------------
Hello [~lmccay]. This looks good. Here are just a few comments:
# I think for completeness, there are a few other relevant methods that
{{XFrameOptionsResponseWrapper}} needs to override: {{addDateHeader}},
{{addIntHeader}}, {{setDateHeader}} and {{setIntHeader}}. All of those should
disallow altering X-Frame-Options.
# Check indentation level on the {{super}} call here.
{code}
public XFrameOptionsResponseWrapper(HttpServletResponse response) {
super(response);
}
{code}
# I generally prefer that tests just let exceptions propagate instead of
catching and calling {{fail}}, unless the test specifically covers an error
case and needs to verify the right kind of exception was thrown. If there is a
test failure, letting the exception propagate will show the full stack trace in
the JUnit report, and that's often helpful for diagnosis.
> Add XFS Filter for UIs to Hadoop Common
> ---------------------------------------
>
> Key: HADOOP-13008
> URL: https://issues.apache.org/jira/browse/HADOOP-13008
> Project: Hadoop Common
> Issue Type: New Feature
> Components: security
> Reporter: Larry McCay
> Assignee: Larry McCay
> Fix For: 2.8.0
>
> Attachments: HADOOP-13008-001.patch
>
>
> Cross Frame Scripting (XFS) prevention for UIs can be provided through a
> common servlet filter. This filter will set the X-Frame-Options HTTP header
> to DENY unless configured to another valid setting.
> There are a number of UIs that could just add this to their filters as well
> as the Yarn webapp proxy which could add it for all it's proxied UIs - if
> appropriate.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
