[jira] [Commented] (YARN-11661) Adding new property to configure the "SameSite" cookie attribute on YARN UI

Thu, 14 Mar 2024 00:35:07 -0700 


    [ 
https://issues.apache.org/jira/browse/YARN-11661?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17826972#comment-17826972
 ] 

Susheel Gupta commented on YARN-11661:
--------------------------------------

Closing this ticket as a workaround exist.
{code:java}
<property>
    <name>hadoop.http.header.Set-Cookie</name>
    <value>SameSite=None; Secure</value>
</property>{code}
Adding this property in yarn-site.xml will fix this issue.

Also "Secure" needs to be added as Set-Cookie was blocked because it had the 
"SameSite=None" attribute but did not have the "Secure" attribute, which is 
required in order to use "SameSite=None".
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#:~:text=This%20Set%2DCookie%20was%20blocked%20because%20it%20had%20the%20%22SameSite%3DNone%22%20attribute%20but%20did%20not%20have%20the%20%22Secure%22%20attribute%2C%20which%20is%20required%20in%20order%20to%20use%20%22SameSite%3DNone%22.

> Adding new property to configure the "SameSite" cookie attribute on YARN UI 
> ----------------------------------------------------------------------------
>
>                 Key: YARN-11661
>                 URL: https://issues.apache.org/jira/browse/YARN-11661
>             Project: Hadoop YARN
>          Issue Type: Improvement
>          Components: yarn
>            Reporter: Susheel Gupta
>            Assignee: Susheel Gupta
>            Priority: Major
>
> If we use 'SameSite=Strict,' the browser would only send the cookie for 
> same-site requests, rendering cross-site sessions ineffective.
> However, it’s worth noting that while using SameSite=None with TLS does 
> enhance the security of your cookies compared to using it without TLS, it 
> doesn’t provide complete security. Nevertheless, considering the necessity 
> for cross-site sessions, utilizing SameSite=None along with TLS can provide a 
> reasonable level of security.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org

Reply via email to