[kudu-CR] webserver: add X-Frame-Options header
Todd Lipcon has posted comments on this change. Change subject: webserver: add X-Frame-Options header .. Patch Set 3: (1 comment) http://gerrit.cloudera.org:8080/#/c/6215/3/src/kudu/server/webserver.cc File src/kudu/server/webserver.cc: Line 70: TAG_FLAG(webserver_x_frame_options, advanced); > Have a question not specific to the patch, wondering when a flag is tagged "advanced" doesn't actually affect anything at runtime, but it does place the flags into a different section of the auto-generated flag documentation. (Experimental and unsafe flags have the effect of having to be 'unlocked') -- To view, visit http://gerrit.cloudera.org:8080/6215 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-MessageType: comment Gerrit-Change-Id: Ie43ec476712c2574a4dc746dae6218f0a4195e09 Gerrit-PatchSet: 3 Gerrit-Project: kudu Gerrit-Branch: master Gerrit-Owner: Todd LipconGerrit-Reviewer: Dan Burkert Gerrit-Reviewer: Hao Hao Gerrit-Reviewer: Kudu Jenkins Gerrit-Reviewer: Todd Lipcon Gerrit-HasComments: Yes
[kudu-CR] webserver: add X-Frame-Options header
Hao Hao has posted comments on this change. Change subject: webserver: add X-Frame-Options header .. Patch Set 3: (1 comment) http://gerrit.cloudera.org:8080/#/c/6215/3/src/kudu/server/webserver.cc File src/kudu/server/webserver.cc: Line 70: TAG_FLAG(webserver_x_frame_options, advanced); Have a question not specific to the patch, wondering when a flag is tagged as advanced where is the logic to enforce "These flags are for advanced users"? -- To view, visit http://gerrit.cloudera.org:8080/6215 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-MessageType: comment Gerrit-Change-Id: Ie43ec476712c2574a4dc746dae6218f0a4195e09 Gerrit-PatchSet: 3 Gerrit-Project: kudu Gerrit-Branch: master Gerrit-Owner: Todd LipconGerrit-Reviewer: Dan Burkert Gerrit-Reviewer: Hao Hao Gerrit-Reviewer: Kudu Jenkins Gerrit-Reviewer: Todd Lipcon Gerrit-HasComments: Yes
[kudu-CR] webserver: add X-Frame-Options header
Todd Lipcon has submitted this change and it was merged. Change subject: webserver: add X-Frame-Options header .. webserver: add X-Frame-Options header This adds a default 'DENY' header in order to prevent Kudu web pages from being put into cross-domain iframes. This can prevent clickjacking attacks, and generally considered a good idea for web security. See: https://www.owasp.org/index.php/Clickjacking Change-Id: Ie43ec476712c2574a4dc746dae6218f0a4195e09 Reviewed-on: http://gerrit.cloudera.org:8080/6215 Tested-by: Kudu Jenkins Reviewed-by: Dan Burkert--- M src/kudu/server/webserver-test.cc M src/kudu/server/webserver.cc M src/kudu/util/curl_util.cc M src/kudu/util/curl_util.h 4 files changed, 29 insertions(+), 12 deletions(-) Approvals: Dan Burkert: Looks good to me, approved Kudu Jenkins: Verified -- To view, visit http://gerrit.cloudera.org:8080/6215 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-MessageType: merged Gerrit-Change-Id: Ie43ec476712c2574a4dc746dae6218f0a4195e09 Gerrit-PatchSet: 3 Gerrit-Project: kudu Gerrit-Branch: master Gerrit-Owner: Todd Lipcon Gerrit-Reviewer: Dan Burkert Gerrit-Reviewer: Hao Hao Gerrit-Reviewer: Kudu Jenkins Gerrit-Reviewer: Todd Lipcon
[kudu-CR] webserver: add X-Frame-Options header
Dan Burkert has posted comments on this change. Change subject: webserver: add X-Frame-Options header .. Patch Set 2: Code-Review+2 -- To view, visit http://gerrit.cloudera.org:8080/6215 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-MessageType: comment Gerrit-Change-Id: Ie43ec476712c2574a4dc746dae6218f0a4195e09 Gerrit-PatchSet: 2 Gerrit-Project: kudu Gerrit-Branch: master Gerrit-Owner: Todd LipconGerrit-Reviewer: Dan Burkert Gerrit-Reviewer: Hao Hao Gerrit-Reviewer: Kudu Jenkins Gerrit-Reviewer: Todd Lipcon Gerrit-HasComments: No
[kudu-CR] webserver: add X-Frame-Options header
Hello Dan Burkert, Hao Hao, I'd like you to reexamine a change. Please visit http://gerrit.cloudera.org:8080/6215 to look at the new patch set (#2). Change subject: webserver: add X-Frame-Options header .. webserver: add X-Frame-Options header This adds a default 'DENY' header in order to prevent Kudu web pages from being put into cross-domain iframes. This can prevent clickjacking attacks, and generally considered a good idea for web security. See: https://www.owasp.org/index.php/Clickjacking Change-Id: Ie43ec476712c2574a4dc746dae6218f0a4195e09 --- M src/kudu/server/webserver-test.cc M src/kudu/server/webserver.cc M src/kudu/util/curl_util.cc M src/kudu/util/curl_util.h 4 files changed, 29 insertions(+), 12 deletions(-) git pull ssh://gerrit.cloudera.org:29418/kudu refs/changes/15/6215/2 -- To view, visit http://gerrit.cloudera.org:8080/6215 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-MessageType: newpatchset Gerrit-Change-Id: Ie43ec476712c2574a4dc746dae6218f0a4195e09 Gerrit-PatchSet: 2 Gerrit-Project: kudu Gerrit-Branch: master Gerrit-Owner: Todd LipconGerrit-Reviewer: Dan Burkert Gerrit-Reviewer: Hao Hao Gerrit-Reviewer: Kudu Jenkins Gerrit-Reviewer: Todd Lipcon
[kudu-CR] webserver: add X-Frame-Options header
Todd Lipcon has posted comments on this change. Change subject: webserver: add X-Frame-Options header .. Patch Set 1: (1 comment) http://gerrit.cloudera.org:8080/#/c/6215/1/src/kudu/server/webserver.cc File src/kudu/server/webserver.cc: Line 67: DEFINE_string(webserver_x_frame_options, "DENY", > evolving and/or advanced Done -- To view, visit http://gerrit.cloudera.org:8080/6215 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-MessageType: comment Gerrit-Change-Id: Ie43ec476712c2574a4dc746dae6218f0a4195e09 Gerrit-PatchSet: 1 Gerrit-Project: kudu Gerrit-Branch: master Gerrit-Owner: Todd LipconGerrit-Reviewer: Dan Burkert Gerrit-Reviewer: Kudu Jenkins Gerrit-Reviewer: Todd Lipcon Gerrit-HasComments: Yes
[kudu-CR] webserver: add X-Frame-Options header
Dan Burkert has posted comments on this change. Change subject: webserver: add X-Frame-Options header .. Patch Set 1: (1 comment) http://gerrit.cloudera.org:8080/#/c/6215/1/src/kudu/server/webserver.cc File src/kudu/server/webserver.cc: Line 67: DEFINE_string(webserver_x_frame_options, "DENY", evolving and/or advanced -- To view, visit http://gerrit.cloudera.org:8080/6215 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-MessageType: comment Gerrit-Change-Id: Ie43ec476712c2574a4dc746dae6218f0a4195e09 Gerrit-PatchSet: 1 Gerrit-Project: kudu Gerrit-Branch: master Gerrit-Owner: Todd LipconGerrit-Reviewer: Dan Burkert Gerrit-Reviewer: Kudu Jenkins Gerrit-HasComments: Yes
[kudu-CR] webserver: add X-Frame-Options header
Hello Dan Burkert, I'd like you to do a code review. Please visit http://gerrit.cloudera.org:8080/6215 to review the following change. Change subject: webserver: add X-Frame-Options header .. webserver: add X-Frame-Options header This adds a default 'DENY' header in order to prevent Kudu web pages from being put into cross-domain iframes. This can prevent clickjacking attacks, and generally considered a good idea for web security. See: https://www.owasp.org/index.php/Clickjacking Change-Id: Ie43ec476712c2574a4dc746dae6218f0a4195e09 --- M src/kudu/server/webserver-test.cc M src/kudu/server/webserver.cc M src/kudu/util/curl_util.cc M src/kudu/util/curl_util.h 4 files changed, 28 insertions(+), 12 deletions(-) git pull ssh://gerrit.cloudera.org:29418/kudu refs/changes/15/6215/1 -- To view, visit http://gerrit.cloudera.org:8080/6215 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-MessageType: newchange Gerrit-Change-Id: Ie43ec476712c2574a4dc746dae6218f0a4195e09 Gerrit-PatchSet: 1 Gerrit-Project: kudu Gerrit-Branch: master Gerrit-Owner: Todd LipconGerrit-Reviewer: Dan Burkert