[jira] [Commented] (TEZ-3966) Tez UI config couldn't be executed in browser

Thu, 05 Jul 2018 14:04:16 -0700 


    [ 
https://issues.apache.org/jira/browse/TEZ-3966?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16534151#comment-16534151
 ] 

Jonathan Eagles commented on TEZ-3966:
--------------------------------------

[~rlukin], Was looking at this change to trying to reproduce. Uploaded a simple 
server I was using to induce the nosniff as well as other options. However, I 
was never able to reproduce this.

{code}
// build the tez ui
$ mvn clean install -DskipTests -Dmaven.javadoc.skip
// run a server with nosnif enabled
$ cd $TEZ/tez-ui/target/tez-ui-0.10.0-SNAPSHOT
$ $BIN/simple-cors-http-server.py
// navigate to 127.0.0.1:8000
{code}

Unless I am mistaken (which is highly possible as I am no expert in Web Tech). 
I think this has little to do with Tez UI and instead to do with Ambari 
config.env loading. config.env is fetched from the browser under the tez ui 
under a '<script>' when I look at the page source, which implicitly gives it 
the correct type of javascript. I wonder how Ambari is causing the config.env 
to be loaded.

That being said, I don't see any reason to have config.env use the env 
extension. And that this patch would 'fix' this issue. Is there a way to 
confirm how Ambari is loading the config.env? Even better if someone from 
Ambari could look at this scenario. [~Sreenath].

> Tez UI config couldn't be executed in browser 
> ----------------------------------------------
>
>                 Key: TEZ-3966
>                 URL: https://issues.apache.org/jira/browse/TEZ-3966
>             Project: Apache Tez
>          Issue Type: Bug
>          Components: UI
>            Reporter: Roman Lukin
>            Priority: Major
>         Attachments: Selection_043.png, Selection_044.png, 
> simple-cors-http-server.py
>
>
> Current name convention applied to the ui configuration file, produce the 
> following error in web browser - mime type check fails (which based on file 
> extesion) and if  header `X-Content-Type-Options: nosniff` enabled config 
> wouldn't be executed and used. As a result we may have problems, for instance 
> links based on variable `yarnProtocol`.
> More about header - 
> [https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options]
> Possible solution - rename file `config.env` to `config.js` 
> [https://github.com/apache/tez/pull/26] 
> [https://github.com/rlukin/tez/commit/8db8c04faee04dc161c90c3961233ec5aa40518e]
>  
> Steps to reproduce:
>  * Enable aforementioned header on web server
>  * Try to load tez ui



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to