[
https://issues.apache.org/jira/browse/HBASE-15187?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15163213#comment-15163213
]
Ted Yu commented on HBASE-15187:
--------------------------------
Please see the design doc for HADOOP-12691 :
https://issues.apache.org/jira/secure/attachment/12781473/CSRFProtectionforRESTAPIs.pdf
See also Chris' comment on HDFS-9711:
https://issues.apache.org/jira/browse/HDFS-9711?focusedCommentId=15124015&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-15124015
See also OWASP documentation that clearly states that XSS is not necessary for
a CSRF attack:
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet#No_Cross-Site_Scripting_.28XSS.29_Vulnerabilities
Thanks to Chris and Larry McCay for related work.
> Integrate CSRF prevention filter to REST gateway
> ------------------------------------------------
>
> Key: HBASE-15187
> URL: https://issues.apache.org/jira/browse/HBASE-15187
> Project: HBase
> Issue Type: Bug
> Reporter: Ted Yu
> Assignee: Ted Yu
> Attachments: HBASE-15187.v1.patch, HBASE-15187.v2.patch,
> HBASE-15187.v3.patch, HBASE-15187.v4.patch, HBASE-15187.v5.patch,
> HBASE-15187.v6.patch, HBASE-15187.v7.patch, HBASE-15187.v8.patch
>
>
> HADOOP-12691 introduced a filter in Hadoop Common to help REST APIs guard
> against cross-site request forgery attacks.
> This issue tracks the integration of that filter into HBase REST gateway.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
