Joel Zambrano created ZEPPELIN-245:
--------------------------------------
Summary: Zeppelin enables CORS (Cross-Origin Request Sharing) by
default with insecure settings (Access-Control-Allow-Origin: *)
Key: ZEPPELIN-245
URL: https://issues.apache.org/jira/browse/ZEPPELIN-245
Project: Zeppelin
Issue Type: Bug
Components: Core
Affects Versions: 0.5.0
Reporter: Joel Zambrano
Fix For: 0.6.0
Description:
CORS (Cross-Origin Request Sharing) is a mechanism that allows restricted
resources (e.g. fonts, JavaScript, etc.) on a web page to be requested from
another domain outside the domain from which the resource originated. It is
possible to restrict cross-origin request to just verified and authorized
domains by providing their domain in the http response header
Access-Control-Allow-Origin. The insecure value, specified by the star (*),
allows requests coming from any source. In such context, a malicious user could
force a victim user to surf a web page containing a malicious client-side code
to interact with the Zeppelin APIs.
Recommendations:
It is strongly recommended to disable CORS if not needed by removing the
Zeppelin source code lines. According to our analysis, there's no need to
support Cross-Origin APIs requests.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
