dongjoon-hyun commented on code in PR #56669:
URL: https://github.com/apache/spark/pull/56669#discussion_r3453596803


##########
core/src/main/scala/org/apache/spark/ui/HttpSecurityFilter.scala:
##########
@@ -51,13 +51,36 @@ private class HttpSecurityFilter(
 
     val cspNonce = CspNonce.generate()
     try {
+      // SPARK-10589 avoid frame-related click-jacking vulnerability.
+      // Use CSP frame-ancestors as the primary mechanism (supported by all 
modern browsers),
+      // with X-Frame-Options: SAMEORIGIN as a fallback for legacy clients.
+      // Note: X-Frame-Options ALLOW-FROM is deprecated and ignored by modern 
browsers
+      // (Chrome, Firefox, Edge, Safari), so frame-ancestors is used instead.
+      val frameAncestors = conf.get(UI_ALLOW_FRAMING_FROM)
+        .filterNot(v => v.equalsIgnoreCase("SAMEORIGIN") || 
v.equalsIgnoreCase("DENY"))
+        .map { uri =>
+          // Sanitize the URI: truncate at semicolons to prevent CSP directive 
injection,
+          // and strip newlines to prevent header injection.
+          val sanitized = uri.replaceAll("[\\r\\n]+", "").split(";", 2)(0).trim
+          s"frame-ancestors 'self' $sanitized"
+        }
+        .getOrElse("frame-ancestors 'self'")
+
       if (conf.get(UI_CONTENT_SECURITY_POLICY_ENABLED)) {
         hres.setHeader("Content-Security-Policy",
           s"default-src 'self'; script-src 'self' 'nonce-$cspNonce'; " +
           s"style-src 'self' 'unsafe-inline'; img-src 'self' data:; " +
-          s"object-src 'none'; base-uri 'self';")
+          s"object-src 'none'; base-uri 'self'; $frameAncestors;")
+      } else {
+        // Even when the full CSP is disabled, set frame-ancestors to enforce
+        // the allowFramingFrom setting in browsers that support CSP.
+        hres.setHeader("Content-Security-Policy", s"$frameAncestors;")

Review Comment:
   May I ask if there is a way to have this feature without `CSP` header?
   
   Although I agree with your intention, this looks like a conflict to our CSP 
config option. `CSP` header should not be used when the CSP configuration is 
off. In other words, this is a sub feature of `CSP` parent configuration.
   
   > Even when the full CSP is disabled, set frame-ancestors to enforce the 
allowFramingFrom setting in browsers that support CSP.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to