dongjoon-hyun commented on code in PR #56669:
URL: https://github.com/apache/spark/pull/56669#discussion_r3453596803
##########
core/src/main/scala/org/apache/spark/ui/HttpSecurityFilter.scala:
##########
@@ -51,13 +51,36 @@ private class HttpSecurityFilter(
val cspNonce = CspNonce.generate()
try {
+ // SPARK-10589 avoid frame-related click-jacking vulnerability.
+ // Use CSP frame-ancestors as the primary mechanism (supported by all
modern browsers),
+ // with X-Frame-Options: SAMEORIGIN as a fallback for legacy clients.
+ // Note: X-Frame-Options ALLOW-FROM is deprecated and ignored by modern
browsers
+ // (Chrome, Firefox, Edge, Safari), so frame-ancestors is used instead.
+ val frameAncestors = conf.get(UI_ALLOW_FRAMING_FROM)
+ .filterNot(v => v.equalsIgnoreCase("SAMEORIGIN") ||
v.equalsIgnoreCase("DENY"))
+ .map { uri =>
+ // Sanitize the URI: truncate at semicolons to prevent CSP directive
injection,
+ // and strip newlines to prevent header injection.
+ val sanitized = uri.replaceAll("[\\r\\n]+", "").split(";", 2)(0).trim
+ s"frame-ancestors 'self' $sanitized"
+ }
+ .getOrElse("frame-ancestors 'self'")
+
if (conf.get(UI_CONTENT_SECURITY_POLICY_ENABLED)) {
hres.setHeader("Content-Security-Policy",
s"default-src 'self'; script-src 'self' 'nonce-$cspNonce'; " +
s"style-src 'self' 'unsafe-inline'; img-src 'self' data:; " +
- s"object-src 'none'; base-uri 'self';")
+ s"object-src 'none'; base-uri 'self'; $frameAncestors;")
+ } else {
+ // Even when the full CSP is disabled, set frame-ancestors to enforce
+ // the allowFramingFrom setting in browsers that support CSP.
+ hres.setHeader("Content-Security-Policy", s"$frameAncestors;")
Review Comment:
May I ask if there is a way to have this feature without `CSP` header?
Although I agree with your intention, this looks like a conflict to our CSP
config option. `CSP` header should not be used when the CSP configuration is
off. In other words, this is a sub feature of `CSP` parent configuration.
> Even when the full CSP is disabled, set frame-ancestors to enforce the
allowFramingFrom setting in browsers that support CSP.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]