Alexey Serbin has submitted this change and it was merged. ( http://gerrit.cloudera.org:8080/18285 )
Change subject: [www] Add CSP header to web UI ...................................................................... [www] Add CSP header to web UI CSP (Content Security Policy) headers provide a way to tell the browser where assets can be loaded from to prevent XSS attacks. Kudu's web UI is read-only, at least for now, so it's not susceptible for XSS attacks, but some security scanners still flag it as vulnerable due to not having this header. This patch adds a CSP header that allows loading assets on the same host, and some inline styles and images in jQuery. It also removes all inline style definitions from first-party files and moves them to kudu.css. There's no good way to write a unit test for this, as it requires a GUI browser (curl doesn't load external resources and doesn't use JavaScript), but I tested it manually both through HTTP and HTTPS and confirmed there are no related errors in the JS console. Change-Id: I411d8f4ca079bfd5584f563aeeaa867833eb1106 Reviewed-on: http://gerrit.cloudera.org:8080/18285 Tested-by: Kudu Jenkins Reviewed-by: Alexey Serbin <[email protected]> --- M src/kudu/server/webserver-test.cc M src/kudu/server/webserver.cc M www/kudu.css M www/startup.mustache 4 files changed, 50 insertions(+), 5 deletions(-) Approvals: Kudu Jenkins: Verified Alexey Serbin: Looks good to me, approved -- To view, visit http://gerrit.cloudera.org:8080/18285 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: kudu Gerrit-Branch: master Gerrit-MessageType: merged Gerrit-Change-Id: I411d8f4ca079bfd5584f563aeeaa867833eb1106 Gerrit-Change-Number: 18285 Gerrit-PatchSet: 7 Gerrit-Owner: Attila Bukor <[email protected]> Gerrit-Reviewer: Alexey Serbin <[email protected]> Gerrit-Reviewer: Andrew Wong <[email protected]> Gerrit-Reviewer: Attila Bukor <[email protected]> Gerrit-Reviewer: Khazar Mammadli <[email protected]> Gerrit-Reviewer: Kudu Jenkins (120) Gerrit-Reviewer: Tidy Bot (241)
