Yicong-Huang opened a new pull request, #53331: URL: https://github.com/apache/spark/pull/53331
### What changes were proposed in this pull request? This PR adds a test to ensure that Jetty sanitizes newlines in the `X-Frame-Options` HTTP header, preventing HTTP header injection attacks. The test verifies that when `spark.ui.allowFramingFrom` contains newline characters (which could occur if someone bypasses config validation), Jetty automatically sanitizes them by replacing newlines with spaces. ### Why are the changes needed? This is a follow-up test for SPARK-54563. While the main PR adds validation to prevent newlines in `spark.ui.allowFramingFrom` at the configuration level, this test ensures defense-in-depth by verifying that Jetty (the underlying HTTP server) also sanitizes newlines in HTTP headers. This protects against scenarios where: - Configuration validation is bypassed (e.g., through direct property setting) - Future changes might inadvertently allow newlines - Other code paths set the header value ### Does this PR introduce _any_ user-facing change? No, this PR only adds a test case. It does not change any user-facing behavior. ### How was this patch tested? Added a new test ### Was this patch authored or co-authored using generative AI tooling? No -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
