dongjoon-hyun commented on PR #56669:
URL: https://github.com/apache/spark/pull/56669#issuecomment-4801045268

   Exactly! That's the reason why this PR description proposes `Always sets 
X-Frame-Options: SAMEORIGIN as a fallback for legacy clients`, right? IIUC, you 
proposed that `spark.ui.allowFramingFrom` works with the fallback legacy 
behavior without `contentSecurityPolicy`.
   
   > However, spark.ui.allowFramingFrom is not a sub-config of 
contentSecurityPolicy. It's an independent config that has existed since Spark 
1.6.0, long before CSP support was added. If we enforce the parent-child rule 
strictly here, allowFramingFrom becomes non-functional unless users explicitly 
enable CSP, which changes the originally intended default behavior of this 
config.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to