[jira] [Created] (STORM-1989) X-Frame-Options support for Storm UI

Tibor Kiss (JIRA) Wed, 20 Jul 2016 05:59:15 -0700

Tibor Kiss created STORM-1989:
---------------------------------

             Summary: X-Frame-Options support for Storm UI
                 Key: STORM-1989
                 URL: https://issues.apache.org/jira/browse/STORM-1989
             Project: Apache Storm
          Issue Type: Bug
          Components: storm-core
            Reporter: Tibor Kiss
            Priority: Minor



Cross Frame Scripting (XFS) vulnerability enables an attacker to load malicious 
code inside a HTTP frame. See more details 
[here|https://www.owasp.org/index.php/Cross_Frame_Scripting].

The fix for the vulnerability is trivial: 
The X-Frame-Options HTTP Header entry needs to be passed to the browser. 
Further details can be found 
[here|https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options].

Currently the X-Frame-Options field is not passed to the browser through Storm 
UI. 

The implementation for this fix would enable the Storm Administrator to set the 
X-Frame-Options field through a storm config parameter: 
ui.http.x-frame-options

The parameter would have three possible values which would reflect 
X-Frame-Option's possible values.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Created] (STORM-1989) X-Frame-Options support for Storm UI

Reply via email to