Hello Alexey Serbin, Andrew Wong,
I'd like you to do a code review. Please visit
http://gerrit.cloudera.org:8080/18285
to review the following change.
Change subject: [www] Add CSP header to web UI
......................................................................
[www] Add CSP header to web UI
CSP (Content Security Policy) headers provide a way to tell the browser
where assets can be loaded from to prevent XSS attacks. Kudu's web UI is
read-only, at least for now, so it's not susceptible for XSS attacks,
but some security scanners still flag it as vulnerable due to not having
this header.
This patch adds a CSP header that allows loading assets on the same
host, and some inline styles and images in jQuery. It also removes all
inline style definitions from first-party files and moves them to
kudu.css.
There's no good way to write a unit test for this, as it requires a
GUI browser (curl doesn't load external resources and doesn't use
JavaScript), but I tested it manually both through HTTP and HTTPS and
confirmed there are no related errors in the JS console.
Change-Id: I411d8f4ca079bfd5584f563aeeaa867833eb1106
---
M src/kudu/server/webserver.cc
M www/kudu.css
M www/startup.mustache
3 files changed, 21 insertions(+), 5 deletions(-)
git pull ssh://gerrit.cloudera.org:29418/kudu refs/changes/85/18285/1
--
To view, visit http://gerrit.cloudera.org:8080/18285
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: newchange
Gerrit-Change-Id: I411d8f4ca079bfd5584f563aeeaa867833eb1106
Gerrit-Change-Number: 18285
Gerrit-PatchSet: 1
Gerrit-Owner: Attila Bukor <[email protected]>
Gerrit-Reviewer: Alexey Serbin <[email protected]>
Gerrit-Reviewer: Andrew Wong <[email protected]>
