[
https://issues.apache.org/jira/browse/HADOOP-15457?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16478237#comment-16478237
]
Robert Kanter commented on HADOOP-15457:
----------------------------------------
A few more comments, and then I think we're good to go:
# Now that {{xFrameParams}} is seeded by {{setHeaders}}, we can do a little
more cleanup by having {{setHeaders}} simply return the {{Map}} instead of
having the caller create the {{Map}} and {{setHeaders}} returning it by
reference.
# {{X_FRAME_ENABLED}} is no longer used and can be deleted.
# {{QuotingInputFilter#doFilter}} will be called on every request, so
{{addHeaders}}, which is iterating through a bunch of configs and doing regex
pattern matching, will be called on every request. I think we should move that
to {{QuotingInputFilter#init}} and populate a map; we can then simply add the
headers in {{QuotingInputFilter#doFilter}}, which will be faster.
# In your tests, the first argument to {{assertEquals}} (and similar) is the
expected value and the second argument is the actual value. The ones where
you're using {{getHeaderField}} are therefore reversed. For example, it should
be:
{code:java}
assertEquals(HttpServer2.X_XSS_PROTECTION.split(":")[1],
conn.getHeaderField(HttpServer2.X_XSS_PROTECTION.split(":")[0]));
{code}
#
{{System.out.println("printing:"+conn.getHeaderField(HttpServer2.X_XSS_PROTECTION));}}
is unnecessary. The {{assert}} statements will print out the value if they
fail
# The {{assertNotEquals}} is redundant. The subsequent {{assertEquals}}
handles it (and is stricter).
> Add Security-Related HTTP Response Header in WEBUIs.
> ----------------------------------------------------
>
> Key: HADOOP-15457
> URL: https://issues.apache.org/jira/browse/HADOOP-15457
> Project: Hadoop Common
> Issue Type: Improvement
> Reporter: Kanwaljeet Sachdev
> Assignee: Kanwaljeet Sachdev
> Priority: Major
> Labels: security
> Attachments: HADOOP-15457.001.patch, HADOOP-15457.002.patch,
> YARN-8198.001.patch, YARN-8198.002.patch, YARN-8198.003.patch,
> YARN-8198.004.patch, YARN-8198.005.patch
>
>
> As of today, YARN web-ui lacks certain security related http response
> headers. We are planning to add few default ones and also add support for
> headers to be able to get added via xml config. Planning to make the below
> two as default.
> * X-XSS-Protection: 1; mode=block
> * X-Content-Type-Options: nosniff
>
> Support for headers via config properties in core-site.xml will be along the
> below lines
> {code:java}
> <property>
> <name>hadoop.http.header.Strict_Transport_Security</name>
> <value>valHSTSFromXML</value>
> </property>{code}
>
> A regex matcher will lift these properties and add into the response header
> when Jetty prepares the response.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
