[jira] [Commented] (HDFS-12693) Ozone: Enable XFrame options for KSM/SCM web ui

Tue, 24 Apr 2018 13:58:53 -0700 

    [ 
https://issues.apache.org/jira/browse/HDFS-12693?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16451090#comment-16451090
 ] 

Hudson commented on HDFS-12693:
-------------------------------

SUCCESS: Integrated in Jenkins build Hadoop-trunk-Commit #14057 (See 
[https://builds.apache.org/job/Hadoop-trunk-Commit/14057/])
HDFS-12693. Ozone: Enable XFrame options for KSM/SCM web ui. Contributed 
(aengineer: rev 27f412fad129b1df7bcb68e9153d33033175d936)
* (edit) 
hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/ozone/web/OzoneHttpServer.java


> Ozone: Enable XFrame options for KSM/SCM web ui
> -----------------------------------------------
>
>                 Key: HDFS-12693
>                 URL: https://issues.apache.org/jira/browse/HDFS-12693
>             Project: Hadoop HDFS
>          Issue Type: Sub-task
>          Components: ozone
>    Affects Versions: HDFS-7240
>            Reporter: Elek, Marton
>            Assignee: Elek, Marton
>            Priority: Major
>             Fix For: HDFS-7240
>
>         Attachments: HDFS-12693-HDFS-7240.001.patch
>
>
> According to the discussion about security checklist on dev list I started to 
> check the security features of the existing HttpServer2 and found that by 
> default the XFrame option headers are disabled. This patch enables it by 
> default for SCM/KSM server similar to the Namenode/Datanode webui. 
> (Note: Even if the only form on the SCM/KSM ui-s is the standard LogLevel 
> form, I think it's a good practice to enable it by default.)
> Test:
> Without the patch (clean build, SCM ui):
> {code}
>  curl -v localhost:9876/jmx -o /dev/null                                      
>                                                                               
>                    * TCP_NODELAY set
> * Connected to localhost (::1) port 9876 (#0)
> > GET /jmx HTTP/1.1
> > Host: localhost:9876
> > User-Agent: curl/7.55.1
> > Accept: */*
> > 
> < HTTP/1.1 200 OK
> < Date: Sat, 21 Oct 2017 19:54:43 GMT
> < Cache-Control: no-cache
> < Expires: Sat, 21 Oct 2017 19:54:43 GMT
> < Date: Sat, 21 Oct 2017 19:54:43 GMT
> < Pragma: no-cache
> < Content-Type: application/json; charset=utf8
> < Access-Control-Allow-Methods: GET
> < Access-Control-Allow-Origin: *
> < Transfer-Encoding: chunked
> {code}
> With the patch:
> {code}
> curl -v localhost:9876/jmx -o /dev/null                                       
>                                                                               
>                 * Connected to localhost (::1) port 9876 (#0)
> > GET /jmx HTTP/1.1
> > Host: localhost:9876
> > User-Agent: curl/7.55.1
> > Accept: */*
> > 
> < HTTP/1.1 200 OK
> < Date: Sat, 21 Oct 2017 19:55:07 GMT
> < Cache-Control: no-cache
> < Expires: Sat, 21 Oct 2017 19:55:07 GMT
> < Date: Sat, 21 Oct 2017 19:55:07 GMT
> < Pragma: no-cache
> < Content-Type: application/json; charset=utf8
> < X-FRAME-OPTIONS: SAMEORIGIN
> < Access-Control-Allow-Methods: GET
> < Access-Control-Allow-Origin: *
> < Transfer-Encoding: chunked
> {code}
> Note: X-FRAME-OPTIONS header exists at the second case.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org

Reply via email to