[
https://issues.apache.org/jira/browse/HDFS-5333?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13808301#comment-13808301
]
Haohui Mai commented on HDFS-5333:
----------------------------------
bq. No remote code execution (and automatic img fetch) in browser == no XSS.
Server-side rendering (HTML) gives user a choice regardless if UI is actually
secure or not.
This is a false statement. Image fetching is one of many possible attack
windows with respect to XSS attacks. Most of the XSS attacks exploit the fact
that the program does not filter the input correctly, as I mentioned in my
responses. I would like to remind you HDFS-4901 for this particular case.
I would like to refer you to https://www.owasp.org/index.php/XSS_Attacks for
some examples of XSS attacks.
bq. The statement is again correct but missing the point: client-side only
rendering has a much larger attack surface.
There is a lengthy qualitative security analysis in my previous responses,
which compare the threat models and attacker surfaces for both web UIs.
Revisiting them would be highly appreciated. You're welcome to make the
discussions more concrete by backing them up with detailed analysis and
concrete numbers.
> Improvement of current HDFS Web UI
> ----------------------------------
>
> Key: HDFS-5333
> URL: https://issues.apache.org/jira/browse/HDFS-5333
> Project: Hadoop HDFS
> Issue Type: Improvement
> Affects Versions: 3.0.0
> Reporter: Jing Zhao
> Assignee: Haohui Mai
>
> This is an umbrella jira for improving the current JSP-based HDFS Web UI.
--
This message was sent by Atlassian JIRA
(v6.1#6144)
