[
https://issues.apache.org/jira/browse/HADOOP-12234?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14637880#comment-14637880
]
Apekshit Sharma commented on HADOOP-12234:
------------------------------------------
[~wheat9] you have some good points with which I agree and some with which I
don't. However, my only point is, while this might not be the ideal and as
finer grained as you want to support Amabri and same configuration use case,
it's still better then current system. At least those not using Amabri can
benefit from the better security and it doesn't have any negative effect on
amabri users.
I am sorry, but I have only limited time that I can invest in this issue and
designing a finer grained control system and implementing it seems out of that
scope right now. We can create an issue to improve the filter and maybe someone
else can collaborate with you on that.
bq. I believe that should be done in a per-project basis.
Am not sure, you may be right here. In that case, we can change the default to
'ALLOW' and projects can set it to deny if needed.
We should get this in because this is only making the system better.
> Web UI Framable Page
> --------------------
>
> Key: HADOOP-12234
> URL: https://issues.apache.org/jira/browse/HADOOP-12234
> Project: Hadoop Common
> Issue Type: Bug
> Reporter: Apekshit Sharma
> Assignee: Apekshit Sharma
> Attachments: HADOOP-12234-v2-master.patch,
> HADOOP-12234-v3-master.patch, HADOOP-12234.patch
>
>
> The web UIs do not include the "X-Frame-Options" header to prevent the pages
> from being framed from another site.
> Reference:
> https://www.owasp.org/index.php/Clickjacking
> https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet
> https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
