[
https://issues.apache.org/jira/browse/HADOOP-12234?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14637658#comment-14637658
]
Haohui Mai commented on HADOOP-12234:
-------------------------------------
bq. this seems inefficient, since it requires maintaining the fix on every HTML
page. By far the common case is "I don't expect to be in a frame." Especially
given a known attack vector, we should make folks opt-in to allowing it.
I believe it needs to be taken care of each different project. Why not putting
it in the project that needs it?
Take HDFS as example. (1) the HDFS UI has only two pages, and (2) I can see
that there are valid use cases to embed the file browser in an iframe (e.g.,
integration with Amabri). Having a filter that deny framing is not a viable
option.
bq. Interesting idea. So the idea would be to change the web UI HTML directly
rather than using this filter?
Yes. To defend against clickjacking attack reliably, the HTML needs to deploy
frame busting techniques anyway in order to support older browsers (e.g., IE 7).
> Web UI Framable Page
> --------------------
>
> Key: HADOOP-12234
> URL: https://issues.apache.org/jira/browse/HADOOP-12234
> Project: Hadoop Common
> Issue Type: Bug
> Reporter: Apekshit Sharma
> Assignee: Apekshit Sharma
> Attachments: HADOOP-12234-v2-master.patch, HADOOP-12234.patch
>
>
> The web UIs do not include the "X-Frame-Options" header to prevent the pages
> from being framed from another site.
> Reference:
> https://www.owasp.org/index.php/Clickjacking
> https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet
> https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
