[jira] [Commented] (HBASE-14148) Web UI Framable Page

Fri, 24 Jul 2015 17:32:27 -0700 

    [ 
https://issues.apache.org/jira/browse/HBASE-14148?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14641288#comment-14641288
 ] 

Sean Busbey commented on HBASE-14148:
-------------------------------------

you're correct about what's causing the audit failure. it either isn't 
detecting that as the BSD license, or it doesn't recognize the BSD license as 
legit. We could rephrase the license or configure rat to recognize it, but 
let's step back for a minute to address [~eclark]'s concerns.

(Elliot, please correct me if I misstate your position)

{quote}
bq. I don't think that this is complex enough that we should be copying code 
from others.

I agree with you that it is very trivial piece of code and that anyone would 
have written same. However, when i was reading on clickjacking, i came across 
it, read it and it was in the back of my head when I was doing changes. So the 
fact remains, that i referenced it and since the code looks same (it couldn't 
have looked different, right!), I'd would prefer to have the new-BSD license 
here. We all are anyways interested in the feature, right?
{quote}

I don't read any opposition to the feature in Elliot's response, just an 
opposition to not doing our own implementation. Is it possible for you to 
reimplement the configurable x-frame headers in a way that does not look like 
the OWAS version? If it isn't, we'll need to find a contributor who can 
reimplement this knowing only the spec (that is, someone who hasn't seen the 
OWAS code).

> Web UI Framable Page
> --------------------
>
>                 Key: HBASE-14148
>                 URL: https://issues.apache.org/jira/browse/HBASE-14148
>             Project: HBase
>          Issue Type: Bug
>            Reporter: Apekshit Sharma
>            Assignee: Apekshit Sharma
>         Attachments: HBASE-14148-master.patch, HBASE-14148-v2-master.patch, 
> HBASE-14148-v3-master.patch
>
>
> The web UIs do not include the "X-Frame-Options" header to prevent the pages 
> from being framed from another site.  
> Reference:
> https://www.owasp.org/index.php/Clickjacking
> https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet
> https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to