sarutak commented on code in PR #56669:
URL: https://github.com/apache/spark/pull/56669#discussion_r3453973041
##########
core/src/main/scala/org/apache/spark/ui/HttpSecurityFilter.scala:
##########
@@ -51,13 +51,36 @@ private class HttpSecurityFilter(
val cspNonce = CspNonce.generate()
try {
+ // SPARK-10589 avoid frame-related click-jacking vulnerability.
+ // Use CSP frame-ancestors as the primary mechanism (supported by all
modern browsers),
+ // with X-Frame-Options: SAMEORIGIN as a fallback for legacy clients.
+ // Note: X-Frame-Options ALLOW-FROM is deprecated and ignored by modern
browsers
+ // (Chrome, Firefox, Edge, Safari), so frame-ancestors is used instead.
+ val frameAncestors = conf.get(UI_ALLOW_FRAMING_FROM)
+ .filterNot(v => v.equalsIgnoreCase("SAMEORIGIN") ||
v.equalsIgnoreCase("DENY"))
+ .map { uri =>
+ // Sanitize the URI: truncate at semicolons to prevent CSP directive
injection,
+ // and strip newlines to prevent header injection.
+ val sanitized = uri.replaceAll("[\\r\\n]+", "").split(";", 2)(0).trim
+ s"frame-ancestors 'self' $sanitized"
+ }
+ .getOrElse("frame-ancestors 'self'")
+
if (conf.get(UI_CONTENT_SECURITY_POLICY_ENABLED)) {
hres.setHeader("Content-Security-Policy",
s"default-src 'self'; script-src 'self' 'nonce-$cspNonce'; " +
s"style-src 'self' 'unsafe-inline'; img-src 'self' data:; " +
- s"object-src 'none'; base-uri 'self';")
+ s"object-src 'none'; base-uri 'self'; $frameAncestors;")
+ } else {
+ // Even when the full CSP is disabled, set frame-ancestors to enforce
+ // the allowFramingFrom setting in browsers that support CSP.
+ hres.setHeader("Content-Security-Policy", s"$frameAncestors;")
Review Comment:
> May I ask if there is a way to have this feature without CSP header?
There is no browser mechanism to allow framing from a specific origin
without `Content-Security-Policy: frame-ancestors`. `X-Frame-Options` only
supports `DENY` and `SAMEORIGIN` in modern browsers (`ALLOW-FROM` is obsolete
and ignored).
So we have two options:
1. **Emit a minimal CSP header (`frame-ancestors` only) when CSP is
disabled**
`allowFramingFrom` works regardless of CSP config, but it's inconsistent
with the CSP toggle.
2. **No CSP header when CSP is disabled**
Consistent with the CSP config, but `allowFramingFrom` only takes effect
when `spark.ui.contentSecurityPolicy.enabled=true`. When CSP is disabled,
`X-Frame-Options: SAMEORIGIN` is always used regardless of the
`allowFramingFrom` value.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]