[jira] [Commented] (HIVE-17679) http-generic-click-jacking for WebHcat server

Thejas M Nair (JIRA) Thu, 12 Oct 2017 23:34:43 -0700

    [ 
https://issues.apache.org/jira/browse/HIVE-17679?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16203112#comment-16203112
 ]


Thejas M Nair commented on HIVE-17679:
--------------------------------------

FYI , HIVE-13853 adds ability to introduce X-XSRF-Header through config option 
for both HS2 (thrift http requests) and webhcat. If that is enabled, then 
requests from UI cannot be sent as they can't add this custom header to the 
requests.


> http-generic-click-jacking for WebHcat server
> ---------------------------------------------
>
>                 Key: HIVE-17679
>                 URL: https://issues.apache.org/jira/browse/HIVE-17679
>             Project: Hive
>          Issue Type: Bug
>          Components: Security, WebHCat
>    Affects Versions: 2.1.1
>            Reporter: Aihua Xu
>            Assignee: Aihua Xu
>             Fix For: 3.0.0
>
>         Attachments: HIVE-17679.1.patch, HIVE-17679.2.patch
>
>
> The web UIs do not include the "X-Frame-Options" header to prevent the pages 
> from being framed from another site.
> Reference:
> https://www.owasp.org/index.php/Clickjacking
> https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet
> https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

[jira] [Commented] (HIVE-17679) http-generic-click-jacking for WebHcat server

Reply via email to