dongjoon-hyun commented on PR #56669: URL: https://github.com/apache/spark/pull/56669#issuecomment-4801045268
Exactly! That's the reason why this PR description proposes `Always sets X-Frame-Options: SAMEORIGIN as a fallback for legacy clients`, right? IIUC, you proposed that `spark.ui.allowFramingFrom` works with the fallback legacy behavior without `contentSecurityPolicy`. > However, spark.ui.allowFramingFrom is not a sub-config of contentSecurityPolicy. It's an independent config that has existed since Spark 1.6.0, long before CSP support was added. If we enforce the parent-child rule strictly here, allowFramingFrom becomes non-functional unless users explicitly enable CSP, which changes the originally intended default behavior of this config. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
