[
https://issues.apache.org/jira/browse/IMPALA-10201?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Tim Armstrong updated IMPALA-10201:
-----------------------------------
Labels: newbie ramp-up (was: )
> WebUI CSP best practice
> -----------------------
>
> Key: IMPALA-10201
> URL: https://issues.apache.org/jira/browse/IMPALA-10201
> Project: IMPALA
> Issue Type: Improvement
> Affects Versions: Impala 4.0
> Reporter: Tamas Mate
> Priority: Minor
> Labels: newbie, ramp-up
>
> The Debug WebUI currently supports only the {{X-Frame-Options}} header, which
> is necessary due to backward compatibility, however in the future it will be
> replaced by the Content Security Policy’s {{frame-ancestors}} directive:
> {quote}Content Security Policy’s frame-ancestors directive obsoletes the
> X-Frame-Options header. If a resource has both policies, the frame-ancestors
> policy SHOULD be enforced and the X-Frame-Options policy SHOULD be ignored
> [[w3.org]|https://www.w3.org/TR/CSP2/#frame-ancestors-and-frame-options].
> {quote}
> {quote}As described in Section 2.3.2.2, not all browsers implement
> X-Frame-Options in exactly the same way, which can lead to unintended
> results. And, given that the "X-" construction is deprecated [RFC6648], the
> X-Frame-Options header field will be replaced in the future by the
> Frame-Options directive in the Content Security Policy (CSP) version 1.1
> [CSP-1-1]. [[RFC 7034]|https://www.ietf.org/rfc/rfc7034.txt]
> {quote}
> CSP's {{frame-ancestor}} header should be implemented to adhere the current
> security best practices and depending on a deprecated feature in the future.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
