Tamas Mate created IMPALA-10201:
-----------------------------------
Summary: WebUI CSP best practice
Key: IMPALA-10201
URL: https://issues.apache.org/jira/browse/IMPALA-10201
Project: IMPALA
Issue Type: Improvement
Affects Versions: Impala 4.0
Reporter: Tamas Mate
The Debug WebUI currently supports only the {{X-Frame-Options}} header, which
is necessary due to backward compatibility, however in the future it will be
replaced by the Content Security Policy’s {{frame-ancestors}} directive:
{quote}Content Security Policy’s frame-ancestors directive obsoletes the
X-Frame-Options header. If a resource has both policies, the frame-ancestors
policy SHOULD be enforced and the X-Frame-Options policy SHOULD be ignored
[[w3.org]|https://www.w3.org/TR/CSP2/#frame-ancestors-and-frame-options].
{quote}
{quote}As described in Section 2.3.2.2, not all browsers implement
X-Frame-Options in exactly the same way, which can lead to unintended results.
And, given that the "X-" construction is deprecated [RFC6648], the
X-Frame-Options header field will be replaced in the future by the
Frame-Options directive in the Content Security Policy (CSP) version 1.1
[CSP-1-1]. [[RFC 7034]|https://www.ietf.org/rfc/rfc7034.txt]
{quote}
CSP's {{frame-ancestor}} header should be implemented to adhere the current
security best practices and depending on a deprecated feature in the future.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
