Github user krishna-pandey commented on the issue:
https://github.com/apache/spark/pull/19419
@tgravescs These generic headers are about providing available client-side
protection for the application. I also think even if there is no sensitive data
to formulate an attack by itself here, the information can be used in
conjunction to target other ecosystem components. Also, in future we may add an
interface for data access. Now is the time to think of Security First.
Cross-site Scripting is one of the most prevalent attack vector and has been an
OWASP Top 10 risk for web applications for decades. As the effort to have these
in place here is minimal, IMHO we should set these.
As you rightly mentioned, deployment on cloud can expand the attack surface
pretty wide in absence of right firewall policy. Also let's not forget insider
threat inside corporate networks.
Going forward may be we will have enough insight to choose which headers
are needed to be enabled by default and enforce them from application side and
not leave it to Users.
---
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
