[ https://issues.apache.org/jira/browse/HDFS-12693?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16451090#comment-16451090 ]
Hudson commented on HDFS-12693: ------------------------------- SUCCESS: Integrated in Jenkins build Hadoop-trunk-Commit #14057 (See [https://builds.apache.org/job/Hadoop-trunk-Commit/14057/]) HDFS-12693. Ozone: Enable XFrame options for KSM/SCM web ui. Contributed (aengineer: rev 27f412fad129b1df7bcb68e9153d33033175d936) * (edit) hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/ozone/web/OzoneHttpServer.java > Ozone: Enable XFrame options for KSM/SCM web ui > ----------------------------------------------- > > Key: HDFS-12693 > URL: https://issues.apache.org/jira/browse/HDFS-12693 > Project: Hadoop HDFS > Issue Type: Sub-task > Components: ozone > Affects Versions: HDFS-7240 > Reporter: Elek, Marton > Assignee: Elek, Marton > Priority: Major > Fix For: HDFS-7240 > > Attachments: HDFS-12693-HDFS-7240.001.patch > > > According to the discussion about security checklist on dev list I started to > check the security features of the existing HttpServer2 and found that by > default the XFrame option headers are disabled. This patch enables it by > default for SCM/KSM server similar to the Namenode/Datanode webui. > (Note: Even if the only form on the SCM/KSM ui-s is the standard LogLevel > form, I think it's a good practice to enable it by default.) > Test: > Without the patch (clean build, SCM ui): > {code} > curl -v localhost:9876/jmx -o /dev/null > > * TCP_NODELAY set > * Connected to localhost (::1) port 9876 (#0) > > GET /jmx HTTP/1.1 > > Host: localhost:9876 > > User-Agent: curl/7.55.1 > > Accept: */* > > > < HTTP/1.1 200 OK > < Date: Sat, 21 Oct 2017 19:54:43 GMT > < Cache-Control: no-cache > < Expires: Sat, 21 Oct 2017 19:54:43 GMT > < Date: Sat, 21 Oct 2017 19:54:43 GMT > < Pragma: no-cache > < Content-Type: application/json; charset=utf8 > < Access-Control-Allow-Methods: GET > < Access-Control-Allow-Origin: * > < Transfer-Encoding: chunked > {code} > With the patch: > {code} > curl -v localhost:9876/jmx -o /dev/null > > * Connected to localhost (::1) port 9876 (#0) > > GET /jmx HTTP/1.1 > > Host: localhost:9876 > > User-Agent: curl/7.55.1 > > Accept: */* > > > < HTTP/1.1 200 OK > < Date: Sat, 21 Oct 2017 19:55:07 GMT > < Cache-Control: no-cache > < Expires: Sat, 21 Oct 2017 19:55:07 GMT > < Date: Sat, 21 Oct 2017 19:55:07 GMT > < Pragma: no-cache > < Content-Type: application/json; charset=utf8 > < X-FRAME-OPTIONS: SAMEORIGIN > < Access-Control-Allow-Methods: GET > < Access-Control-Allow-Origin: * > < Transfer-Encoding: chunked > {code} > Note: X-FRAME-OPTIONS header exists at the second case. -- This message was sent by Atlassian JIRA (v7.6.3#76005) --------------------------------------------------------------------- To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org