[
https://issues.apache.org/jira/browse/HADOOP-12234?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14635506#comment-14635506
]
Colin Patrick McCabe commented on HADOOP-12234:
-----------------------------------------------
bq. Can you specify the concrete attack scenario that you're defending against?
My understanding from reading the owasp.org page is that the attack scenario
would be something like this following: the user somehow loads a malicious web
site. That malicious website redirects some of the user's clicks unexpectedly
to the HDFS web UI, with malicious results. This might be a way for users who
don't have permission to access the HDFS web UI to take advantage of users who
do.
bq. I don't think it makes sense to make it available through a filter due to
the variety requirements of the different projects. A better approach is to
change the HTML code to ensure that the UI runs on the top frame.
Interesting idea. So the idea would be to change the web UI HTML directly
rather than using this filter?
> Web UI Framable Page
> --------------------
>
> Key: HADOOP-12234
> URL: https://issues.apache.org/jira/browse/HADOOP-12234
> Project: Hadoop Common
> Issue Type: Bug
> Reporter: Apekshit Sharma
> Assignee: Apekshit Sharma
> Attachments: HADOOP-12234.patch
>
>
> The web UIs do not include the "X-Frame-Options" header to prevent the pages
> from being framed from another site.
> Reference:
> https://www.owasp.org/index.php/Clickjacking
> https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet
> https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
