Khazar Mammadli has uploaded a new patch set (#2) to the change originally created by Attila Bukor. ( http://gerrit.cloudera.org:8080/18285 )
Change subject: [www] Add CSP header to web UI ...................................................................... [www] Add CSP header to web UI CSP (Content Security Policy) headers provide a way to tell the browser where assets can be loaded from to prevent XSS attacks. Kudu's web UI is read-only, at least for now, so it's not susceptible for XSS attacks, but some security scanners still flag it as vulnerable due to not having this header. This patch adds a CSP header that allows loading assets on the same host, and some inline styles and images in jQuery. It also removes all inline style definitions from first-party files and moves them to kudu.css. There's no good way to write a unit test for this, as it requires a GUI browser (curl doesn't load external resources and doesn't use JavaScript), but I tested it manually both through HTTP and HTTPS and confirmed there are no related errors in the JS console. Change-Id: I411d8f4ca079bfd5584f563aeeaa867833eb1106 --- M src/kudu/server/webserver-test.cc M src/kudu/server/webserver.cc M www/kudu.css M www/startup.mustache 4 files changed, 53 insertions(+), 7 deletions(-) git pull ssh://gerrit.cloudera.org:29418/kudu refs/changes/85/18285/2 -- To view, visit http://gerrit.cloudera.org:8080/18285 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: kudu Gerrit-Branch: master Gerrit-MessageType: newpatchset Gerrit-Change-Id: I411d8f4ca079bfd5584f563aeeaa867833eb1106 Gerrit-Change-Number: 18285 Gerrit-PatchSet: 2 Gerrit-Owner: Attila Bukor <[email protected]> Gerrit-Reviewer: Alexey Serbin <[email protected]> Gerrit-Reviewer: Andrew Wong <[email protected]> Gerrit-Reviewer: Attila Bukor <[email protected]> Gerrit-Reviewer: Khazar Mammadli <[email protected]> Gerrit-Reviewer: Kudu Jenkins (120)
