[
https://issues.apache.org/jira/browse/MESOS-5918?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15983568#comment-15983568
]
Jacob Janco edited comment on MESOS-5918 at 4/25/17 8:40 PM:
-------------------------------------------------------------
[~greggomann] [~anandmazumdar][~mlunoe][~xujyan] Reopening a bit of discussion
on replacing the jsonp workaround with CORS handling server side. An initial
idea is to have a configurable regex for domains available for cross origin
requests which will match against sent Origin headers. At this point I don't
think we'll have to support preflighting requests to add this functionality.
Another consideration, should this be a libprocess level configuration or
perhaps a flag set on masters and agents?
was (Author: jjanco):
[~greggomann] [~anandmazumdar][~mlunoe] Reopening a bit of discussion on
replacing the jsonp workaround with CORS handling server side. An initial idea
is to have a configurable regex for domains available for cross origin requests
which will match against sent Origin headers. At this point I don't think we'll
have to support preflighting requests to add this functionality. Another
consideration, should this be a libprocess level configuration or perhaps a
flag set on masters and agents?
> Replace jsonp with a more secure alternative
> --------------------------------------------
>
> Key: MESOS-5918
> URL: https://issues.apache.org/jira/browse/MESOS-5918
> Project: Mesos
> Issue Type: Improvement
> Components: webui
> Reporter: Yan Xu
>
> We currently use the {{jsonp}} technique to bypass CORS check. This practice
> has many security concerns (see discussions on MESOS-5911) so we should
> replace it with a better alternative.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
