[jira] [Commented] (STORM-1989) X-Frame-Options support for Storm UI

Wed, 20 Jul 2016 05:59:58 -0700 

    [ 
https://issues.apache.org/jira/browse/STORM-1989?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15385807#comment-15385807
 ] 

ASF GitHub Bot commented on STORM-1989:
---------------------------------------

GitHub user tibkiss opened a pull request:

    https://github.com/apache/storm/pull/1579

    STORM-1989: X-Frame-Options support for Storm UI

    

You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/tibkiss/storm 
feature/x-frame-options-support-in-ui

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/storm/pull/1579.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #1579
    
----
commit 4e2e4a990183ceee73009de60e5eafabeb11baa2
Author: Tibor Kiss <[email protected]>
Date:   2016-07-19T11:40:36Z

    Implement HTTP X-Frame-Options for Storm UI

----


> X-Frame-Options support for Storm UI
> ------------------------------------
>
>                 Key: STORM-1989
>                 URL: https://issues.apache.org/jira/browse/STORM-1989
>             Project: Apache Storm
>          Issue Type: Improvement
>          Components: storm-core
>            Reporter: Tibor Kiss
>            Priority: Minor
>              Labels: security
>
> Cross Frame Scripting (XFS) vulnerability enables an attacker to load 
> malicious code inside a HTTP frame. See more details 
> [here|https://www.owasp.org/index.php/Cross_Frame_Scripting].
> The fix for the vulnerability is trivial: 
> The X-Frame-Options HTTP Header entry needs to be passed to the browser. 
> Further details can be found 
> [here|https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options].
> Currently the X-Frame-Options field is not passed to the browser through 
> Storm UI. 
> The implementation for this fix would enable the Storm Administrator to set 
> the X-Frame-Options field through a storm config parameter: 
> ui.http.x-frame-options
> The parameter would have three possible values which would reflect 
> X-Frame-Option's possible values.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to