[GitHub] zeppelin issue #2492: [ZEPPELIN-2775] Strict-Transport-Security and X-XSS-Pr...
Github user 1ambda commented on the issue: https://github.com/apache/zeppelin/pull/2492 Thanks. --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---
[GitHub] zeppelin issue #2492: [ZEPPELIN-2775] Strict-Transport-Security and X-XSS-Pr...
Github user krishna-pandey commented on the issue: https://github.com/apache/zeppelin/pull/2492 @1ambda I am able to reproduce the issue, seems like the value is getting repeated. It turns out that all Headers are being set multiple times. I have created an issue (ZEPPELIN-2896) for that. --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---
[GitHub] zeppelin issue #2492: [ZEPPELIN-2775] Strict-Transport-Security and X-XSS-Pr...
Github user 1ambda commented on the issue: https://github.com/apache/zeppelin/pull/2492 @krishna-pandey Hi, I just built master execute zeppelin. - https://github.com/apache/zeppelin/blob/master/zeppelin-zengine/src/main/java/org/apache/zeppelin/conf/ZeppelinConfiguration.java#L684 --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---
[GitHub] zeppelin issue #2492: [ZEPPELIN-2775] Strict-Transport-Security and X-XSS-Pr...
Github user krishna-pandey commented on the issue: https://github.com/apache/zeppelin/pull/2492 @1ambda What's the value you are providing for "zeppelin.server.xxss.protection" property. It can take three possible values "0", "1" or "1; mode=block". --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---
[GitHub] zeppelin issue #2492: [ZEPPELIN-2775] Strict-Transport-Security and X-XSS-Pr...
Github user felixcheung commented on the issue: https://github.com/apache/zeppelin/pull/2492 merging if no more comment --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---
[GitHub] zeppelin issue #2492: [ZEPPELIN-2775] Strict-Transport-Security and X-XSS-Pr...
Github user krishna-pandey commented on the issue: https://github.com/apache/zeppelin/pull/2492 @felixcheung Updated the documentation as per review. Let me know if any other changes are required. Thanks. --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---
[GitHub] zeppelin issue #2492: [ZEPPELIN-2775] Strict-Transport-Security and X-XSS-Pr...
Github user krishna-pandey commented on the issue: https://github.com/apache/zeppelin/pull/2492 @felixcheung Made the change as suggested. Also provided documentation for all HTTP Security Headers support we added recently (tested it locally). Let me know if I am still missing anything. Thanks for the review. --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---
[GitHub] zeppelin issue #2492: [ZEPPELIN-2775] Strict-Transport-Security and X-XSS-Pr...
Github user prabhjyotsingh commented on the issue: https://github.com/apache/zeppelin/pull/2492 Tested on local, works as expected. LGTM! --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---
[GitHub] zeppelin issue #2492: [ZEPPELIN-2775] Strict-Transport-Security and X-XSS-Pr...
Github user krishna-pandey commented on the issue: https://github.com/apache/zeppelin/pull/2492 Above commit also took care of below test case failures. https://s3.amazonaws.com/archive.travis-ci.org/jobs/253571796/log.txt?X-Amz-Expires=30=20170717T114927Z=AWS4-HMAC-SHA256=AKIAJRYRXRSVGNKPKO5A/20170717/us-east-1/s3/aws4_request=host=c08313e7f165e576846f035b0dee0975d4fc5fb414a0fa291e759b1993dd9b7b --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---
[GitHub] zeppelin issue #2492: [ZEPPELIN-2775] Strict-Transport-Security and X-XSS-Pr...
Github user krishna-pandey commented on the issue: https://github.com/apache/zeppelin/pull/2492 @Leemoonsoo, @felixcheung, @jongyoul, @prabhjyotsingh Please help review this. Note: Chrome Browser seems to be ignoring "X-XSS-Protection" header when value is set to 1. Ideally, it should be set to "X-XSS-Protection:1; mode=block". Difference being when later value is set, the browser will prevent rendering of the page if an attack is detected rather than sanitizing the page as in previous case. --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. ---