Github user krishna-pandey commented on a diff in the pull request:
https://github.com/apache/spark/pull/19419#discussion_r144281816
--- Diff: core/src/main/scala/org/apache/spark/ui/JettyUtils.scala ---
@@ -89,6 +92,9 @@ private[spark] object JettyUtils extends Logging {
val result = servletParams.responder(request)
response.setHeader("Cache-Control", "no-cache, no-store,
must-revalidate")
response.setHeader("X-Frame-Options", xFrameOptionsValue)
+
xXssProtectionValue.foreach(response.setHeader("X-XSS-Protection", _))
+
xContentTypeOptionsValue.foreach(response.setHeader("X-Content-Type-Options",
_))
+
strictTransportSecurityValue.foreach(response.setHeader("Strict-Transport-Security",
_))
--- End diff --
@jerryshao I added a check to set the STS header, only if SSL is enabled.
However, STS header was not stopping Browser from rendering the content even
when it was set and Spark was running on plain HTTP. Need to get expected
behaviour here.
<img width="631" alt="screen shot 2017-10-12 at 6 22 18 pm"
src="https://user-images.githubusercontent.com/6433184/31497151-ba7f7dac-af7b-11e7-99ea-88b64c778b51.png";>
---
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
![https://user-images.githubusercontent.com/6433184/31497151-ba7f7dac-af7b-11e7-99ea-88b64c778b51.png"](https://user-images.githubusercontent.com/6433184/31497151-ba7f7dac-af7b-11e7-99ea-88b64c778b51.png"){kind=link}