[
https://issues.apache.org/jira/browse/HADOOP-12234?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14637725#comment-14637725
]
Apekshit Sharma commented on HADOOP-12234:
------------------------------------------
bq. Take HDFS as example. (1) the HDFS UI has only two pages, and (2) I can see
that there are valid use cases to embed the file browser in an iframe (e.g.,
integration with Amabri). Having a filter that deny framing is not a viable
option.
In that case, Amabri users can set 'hadoop.http.xframeoptions.mode' to 'ALLOW'.
I believe this setting will allow Amabri and future embedding use cases.
bq. Yes. To defend against clickjacking attack reliably, the HTML needs to
deploy frame busting techniques anyway in order to support older browsers
(e.g., IE 7).
If there is a single script/place where this change can be made, I think this
will be better option, but if it requires changing every page individually, am
a bit skeptical because if one forgets to add the script to new page(s) (in
hadoop or other projects), it'll create holes in the security and might bite in
the future.
> Web UI Framable Page
> --------------------
>
> Key: HADOOP-12234
> URL: https://issues.apache.org/jira/browse/HADOOP-12234
> Project: Hadoop Common
> Issue Type: Bug
> Reporter: Apekshit Sharma
> Assignee: Apekshit Sharma
> Attachments: HADOOP-12234-v2-master.patch, HADOOP-12234.patch
>
>
> The web UIs do not include the "X-Frame-Options" header to prevent the pages
> from being framed from another site.
> Reference:
> https://www.owasp.org/index.php/Clickjacking
> https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet
> https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
