[
https://issues.apache.org/jira/browse/HADOOP-12234?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14637754#comment-14637754
]
Haohui Mai commented on HADOOP-12234:
-------------------------------------
I think {{X-Frame-Options}} is a good thing to have but I don't see this is a
fit in {{hadoop-common}}. I believe that should be done in a per-project basis.
bq. In that case, Amabri users can set 'hadoop.http.xframeoptions.mode' to
'ALLOW'. I believe this setting will allow Amabri and future embedding use
cases.
This is far from useful. What happens if both HDFS and YARN, and other projects
are deployed on the same configuration? In HDFS it requires a finer grain
control. For example, only {{explorer.html}} can be framed for a particular
origin but no more.
bq. am a bit skeptical because if one forgets to add the script to new page(s)
(in hadoop or other projects), it'll create holes in the security and might
bite in the future.
This is highly speculative. The requirements vary from projects to projects. In
HDFS the DN runs netty as the primary HTTP server, how does the filter even
apply?
> Web UI Framable Page
> --------------------
>
> Key: HADOOP-12234
> URL: https://issues.apache.org/jira/browse/HADOOP-12234
> Project: Hadoop Common
> Issue Type: Bug
> Reporter: Apekshit Sharma
> Assignee: Apekshit Sharma
> Attachments: HADOOP-12234-v2-master.patch,
> HADOOP-12234-v3-master.patch, HADOOP-12234.patch
>
>
> The web UIs do not include the "X-Frame-Options" header to prevent the pages
> from being framed from another site.
> Reference:
> https://www.owasp.org/index.php/Clickjacking
> https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet
> https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
