sarutak opened a new pull request, #56669:
URL: https://github.com/apache/spark/pull/56669

   ### What changes were proposed in this pull request?
   
   This PR fixes the `spark.ui.allowFramingFrom` configuration to use CSP 
`frame-ancestors` directive instead of the deprecated `X-Frame-Options: 
ALLOW-FROM`.
   
   According to [MDN Web 
Docs](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/X-Frame-Options#allow-from_origin):
   
   > **`ALLOW-FROM origin`** — This is an obsolete directive. Modern browsers 
that encounter response headers with this directive will ignore the header 
completely. The `Content-Security-Policy` HTTP header has a `frame-ancestors` 
directive which you should use instead.
   
   As a result, users who set `spark.ui.allowFramingFrom` to allow framing from 
a specific origin find that **the setting has no effect** in any current 
browser.
   
   The fix:
   - Uses CSP `frame-ancestors 'self' <uri>` as the primary clickjacking 
protection mechanism
   - Always sets `X-Frame-Options: SAMEORIGIN` as a fallback for legacy clients
   - When `spark.ui.contentSecurityPolicy.enabled=false` (the default), emits a 
minimal CSP header containing only `frame-ancestors` so that the 
`allowFramingFrom` setting works regardless of the full CSP toggle
   - Sanitizes the config value to prevent CSP directive injection via 
semicolons or newlines
   - Filters out legacy `X-Frame-Options` values (`SAMEORIGIN`, `DENY`) if 
explicitly set in `spark.ui.allowFramingFrom` for backward compatibility
   - Moves `X-Frame-Options` header before access control checks so that even 
403 error responses include clickjacking protection
   
   ### Why are the changes needed?
   The `spark.ui.allowFramingFrom` config has been non-functional in all modern 
browsers since `ALLOW-FROM` was obsoleted. Users relying on this setting for 
embedding Spark UI in iframes from specific origins have no working 
clickjacking protection. CSP `frame-ancestors` is the W3C-recommended 
replacement.
   
   ### Does this PR introduce _any_ user-facing change?
   Yes.
   
   - `spark.ui.allowFramingFrom` now works correctly in modern browsers via CSP 
`frame-ancestors`.
   - `X-Frame-Options` header is always `SAMEORIGIN` (previously it was 
`ALLOW-FROM <uri>` which browsers ignored).
   - A `Content-Security-Policy` header with `frame-ancestors` is now always 
emitted, even when `spark.ui.contentSecurityPolicy.enabled=false`.
   
   ### How was this patch tested?
   
   - Updated unit tests in `HttpSecurityFilterSuite` to verify the CSP 
`frame-ancestors` directive contains the configured URI
   - Updated unit tests to verify `X-Frame-Options` is always `SAMEORIGIN`
   - Updated integration test in `UISuite` to verify Jetty sanitizes newlines 
in the CSP header
   - Added test for CSP directive injection prevention via semicolons
   - Added test verifying `X-Frame-Options` is set even when access is denied 
(403 responses)
   - Added test coverage for CSP-disabled mode (verifies minimal 
`frame-ancestors` header is still emitted)
   
   ### Was this patch authored or co-authored using generative AI tooling?
   Kiro CLI / Claude


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to