[
https://issues.apache.org/jira/browse/MESOS-5219?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15250345#comment-15250345
]
Don Laidlaw commented on MESOS-5219:
------------------------------------
>From Wikipedia:
{quote}
Clickjacking is possible because seemingly harmless features of HTML web pages
can be employed to perform unexpected actions.
A clickjacked page tricks a user into performing undesired actions by clicking
on a concealed link. On a clickjacked page, the attackers load another page
over it in a transparent layer. The users think that they are clicking visible
buttons, while they are actually performing actions on the hidden/invisible
page. The hidden page may be an authentic page; therefore, the attackers can
trick users into performing actions which the users never intended. There is no
way of tracing such actions to the attackers later, as the users would have
been genuinely authenticated on the hidden page.
{quote}
The worst part about clickjacking is that the attack can happen even if the
attacker does not have access to the server being attacked. If the user of the
web browser can access the mesos host:port, then that is enough to allow a
clickjacking attack.
There is some good information at OWASP about defending against clickjacking:
[https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet#Introduction]
And the Wikipedia page describes it very well also:
[https://en.wikipedia.org/wiki/Clickjacking] Both document the X-Frame-Options
solution
I would recommend making the addition of the X-Frame-Options header to http
responses optional by adding a startup option. If the option is not provided,
then do not create the X-Frame-Options header, if the option is provided, then
set the header to the value specified by the user.
The same is true for cross-site scripting. See
[https://en.wikipedia.org/wiki/Cross-site_scripting] and
[https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet]
> Add security headers to HTTP response
> -------------------------------------
>
> Key: MESOS-5219
> URL: https://issues.apache.org/jira/browse/MESOS-5219
> Project: Mesos
> Issue Type: Improvement
> Components: HTTP API
> Reporter: Don Laidlaw
>
> Cross site scripting and click jacking are major concerns. Many issues can be
> resolved by setting some headers in the HTTP responses for the user interface
> and rest responses for both the master and slave processes.
> X-Frame-Options: Can be set to deny, sameorigin, or allow-from <uri>
> X-XSS-Protection: 1; mode=block
> These would go a long way to making sites using mesos more secure. Note that
> the user exploiting attacks does not need to have access to the mesos hosts,
> they are attacked through a user's web browser. So if the user can connect to
> both mesos and the internet, it is an issue.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
