[ https://issues.apache.org/jira/browse/HBASE-15187?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15163213#comment-15163213 ]
Ted Yu commented on HBASE-15187: -------------------------------- Please see the design doc for HADOOP-12691 : https://issues.apache.org/jira/secure/attachment/12781473/CSRFProtectionforRESTAPIs.pdf See also Chris' comment on HDFS-9711: https://issues.apache.org/jira/browse/HDFS-9711?focusedCommentId=15124015&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-15124015 See also OWASP documentation that clearly states that XSS is not necessary for a CSRF attack: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet#No_Cross-Site_Scripting_.28XSS.29_Vulnerabilities Thanks to Chris and Larry McCay for related work. > Integrate CSRF prevention filter to REST gateway > ------------------------------------------------ > > Key: HBASE-15187 > URL: https://issues.apache.org/jira/browse/HBASE-15187 > Project: HBase > Issue Type: Bug > Reporter: Ted Yu > Assignee: Ted Yu > Attachments: HBASE-15187.v1.patch, HBASE-15187.v2.patch, > HBASE-15187.v3.patch, HBASE-15187.v4.patch, HBASE-15187.v5.patch, > HBASE-15187.v6.patch, HBASE-15187.v7.patch, HBASE-15187.v8.patch > > > HADOOP-12691 introduced a filter in Hadoop Common to help REST APIs guard > against cross-site request forgery attacks. > This issue tracks the integration of that filter into HBase REST gateway. -- This message was sent by Atlassian JIRA (v6.3.4#6332)