[kudu-CR] webserver: add X-Frame-Options header

[Todd Lipcon (Code Review)]

Todd Lipcon has posted comments on this change.

Change subject: webserver: add X-Frame-Options header
..


Patch Set 3:

(1 comment)

http://gerrit.cloudera.org:8080/#/c/6215/3/src/kudu/server/webserver.cc
File src/kudu/server/webserver.cc:

Line 70: TAG_FLAG(webserver_x_frame_options, advanced);
> Have a question not specific to the patch, wondering when a flag is tagged 
"advanced" doesn't actually affect anything at runtime, but it does place the 
flags into a different section of the auto-generated flag documentation. 
(Experimental and unsafe flags have the effect of having to be 'unlocked')


-- 
To view, visit http://gerrit.cloudera.org:8080/6215
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-MessageType: comment
Gerrit-Change-Id: Ie43ec476712c2574a4dc746dae6218f0a4195e09
Gerrit-PatchSet: 3
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-Owner: Todd Lipcon 
Gerrit-Reviewer: Dan Burkert 
Gerrit-Reviewer: Hao Hao 
Gerrit-Reviewer: Kudu Jenkins
Gerrit-Reviewer: Todd Lipcon 
Gerrit-HasComments: Yes

[kudu-CR] webserver: add X-Frame-Options header

[Hao Hao (Code Review)]

Hao Hao has posted comments on this change.

Change subject: webserver: add X-Frame-Options header
..


Patch Set 3:

(1 comment)

http://gerrit.cloudera.org:8080/#/c/6215/3/src/kudu/server/webserver.cc
File src/kudu/server/webserver.cc:

Line 70: TAG_FLAG(webserver_x_frame_options, advanced);
Have a question not specific to the patch, wondering when a flag is tagged as 
advanced where is the logic to enforce "These flags are for advanced users"?


-- 
To view, visit http://gerrit.cloudera.org:8080/6215
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-MessageType: comment
Gerrit-Change-Id: Ie43ec476712c2574a4dc746dae6218f0a4195e09
Gerrit-PatchSet: 3
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-Owner: Todd Lipcon 
Gerrit-Reviewer: Dan Burkert 
Gerrit-Reviewer: Hao Hao 
Gerrit-Reviewer: Kudu Jenkins
Gerrit-Reviewer: Todd Lipcon 
Gerrit-HasComments: Yes

[kudu-CR] webserver: add X-Frame-Options header

[Todd Lipcon (Code Review)]

Todd Lipcon has submitted this change and it was merged.

Change subject: webserver: add X-Frame-Options header
..


webserver: add X-Frame-Options header

This adds a default 'DENY' header in order to prevent Kudu web pages
from being put into cross-domain iframes. This can prevent clickjacking
attacks, and generally considered a good idea for web security.

See: https://www.owasp.org/index.php/Clickjacking

Change-Id: Ie43ec476712c2574a4dc746dae6218f0a4195e09
Reviewed-on: http://gerrit.cloudera.org:8080/6215
Tested-by: Kudu Jenkins
Reviewed-by: Dan Burkert 
---
M src/kudu/server/webserver-test.cc
M src/kudu/server/webserver.cc
M src/kudu/util/curl_util.cc
M src/kudu/util/curl_util.h
4 files changed, 29 insertions(+), 12 deletions(-)

Approvals:
  Dan Burkert: Looks good to me, approved
  Kudu Jenkins: Verified



-- 
To view, visit http://gerrit.cloudera.org:8080/6215
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: Ie43ec476712c2574a4dc746dae6218f0a4195e09
Gerrit-PatchSet: 3
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-Owner: Todd Lipcon 
Gerrit-Reviewer: Dan Burkert 
Gerrit-Reviewer: Hao Hao 
Gerrit-Reviewer: Kudu Jenkins
Gerrit-Reviewer: Todd Lipcon 

[kudu-CR] webserver: add X-Frame-Options header

[Dan Burkert (Code Review)]

Dan Burkert has posted comments on this change.

Change subject: webserver: add X-Frame-Options header
..


Patch Set 2: Code-Review+2

-- 
To view, visit http://gerrit.cloudera.org:8080/6215
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-MessageType: comment
Gerrit-Change-Id: Ie43ec476712c2574a4dc746dae6218f0a4195e09
Gerrit-PatchSet: 2
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-Owner: Todd Lipcon 
Gerrit-Reviewer: Dan Burkert 
Gerrit-Reviewer: Hao Hao 
Gerrit-Reviewer: Kudu Jenkins
Gerrit-Reviewer: Todd Lipcon 
Gerrit-HasComments: No

[kudu-CR] webserver: add X-Frame-Options header

[Todd Lipcon (Code Review)]

Hello Dan Burkert, Hao Hao,

I'd like you to reexamine a change.  Please visit

http://gerrit.cloudera.org:8080/6215

to look at the new patch set (#2).

Change subject: webserver: add X-Frame-Options header
..

webserver: add X-Frame-Options header

This adds a default 'DENY' header in order to prevent Kudu web pages
from being put into cross-domain iframes. This can prevent clickjacking
attacks, and generally considered a good idea for web security.

See: https://www.owasp.org/index.php/Clickjacking

Change-Id: Ie43ec476712c2574a4dc746dae6218f0a4195e09
---
M src/kudu/server/webserver-test.cc
M src/kudu/server/webserver.cc
M src/kudu/util/curl_util.cc
M src/kudu/util/curl_util.h
4 files changed, 29 insertions(+), 12 deletions(-)


  git pull ssh://gerrit.cloudera.org:29418/kudu refs/changes/15/6215/2
-- 
To view, visit http://gerrit.cloudera.org:8080/6215
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-MessageType: newpatchset
Gerrit-Change-Id: Ie43ec476712c2574a4dc746dae6218f0a4195e09
Gerrit-PatchSet: 2
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-Owner: Todd Lipcon 
Gerrit-Reviewer: Dan Burkert 
Gerrit-Reviewer: Hao Hao 
Gerrit-Reviewer: Kudu Jenkins
Gerrit-Reviewer: Todd Lipcon 

[kudu-CR] webserver: add X-Frame-Options header

[Todd Lipcon (Code Review)]

Todd Lipcon has posted comments on this change.

Change subject: webserver: add X-Frame-Options header
..


Patch Set 1:

(1 comment)

http://gerrit.cloudera.org:8080/#/c/6215/1/src/kudu/server/webserver.cc
File src/kudu/server/webserver.cc:

Line 67: DEFINE_string(webserver_x_frame_options, "DENY",
> evolving and/or advanced
Done


-- 
To view, visit http://gerrit.cloudera.org:8080/6215
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-MessageType: comment
Gerrit-Change-Id: Ie43ec476712c2574a4dc746dae6218f0a4195e09
Gerrit-PatchSet: 1
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-Owner: Todd Lipcon 
Gerrit-Reviewer: Dan Burkert 
Gerrit-Reviewer: Kudu Jenkins
Gerrit-Reviewer: Todd Lipcon 
Gerrit-HasComments: Yes

[kudu-CR] webserver: add X-Frame-Options header

[Dan Burkert (Code Review)]

Dan Burkert has posted comments on this change.

Change subject: webserver: add X-Frame-Options header
..


Patch Set 1:

(1 comment)

http://gerrit.cloudera.org:8080/#/c/6215/1/src/kudu/server/webserver.cc
File src/kudu/server/webserver.cc:

Line 67: DEFINE_string(webserver_x_frame_options, "DENY",
evolving and/or advanced


-- 
To view, visit http://gerrit.cloudera.org:8080/6215
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-MessageType: comment
Gerrit-Change-Id: Ie43ec476712c2574a4dc746dae6218f0a4195e09
Gerrit-PatchSet: 1
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-Owner: Todd Lipcon 
Gerrit-Reviewer: Dan Burkert 
Gerrit-Reviewer: Kudu Jenkins
Gerrit-HasComments: Yes

[kudu-CR] webserver: add X-Frame-Options header

[Todd Lipcon (Code Review)]

Hello Dan Burkert,

I'd like you to do a code review.  Please visit

http://gerrit.cloudera.org:8080/6215

to review the following change.

Change subject: webserver: add X-Frame-Options header
..

webserver: add X-Frame-Options header

This adds a default 'DENY' header in order to prevent Kudu web pages
from being put into cross-domain iframes. This can prevent clickjacking
attacks, and generally considered a good idea for web security.

See: https://www.owasp.org/index.php/Clickjacking

Change-Id: Ie43ec476712c2574a4dc746dae6218f0a4195e09
---
M src/kudu/server/webserver-test.cc
M src/kudu/server/webserver.cc
M src/kudu/util/curl_util.cc
M src/kudu/util/curl_util.h
4 files changed, 28 insertions(+), 12 deletions(-)


  git pull ssh://gerrit.cloudera.org:29418/kudu refs/changes/15/6215/1
-- 
To view, visit http://gerrit.cloudera.org:8080/6215
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: Ie43ec476712c2574a4dc746dae6218f0a4195e09
Gerrit-PatchSet: 1
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-Owner: Todd Lipcon 
Gerrit-Reviewer: Dan Burkert