Jonathan Eagles created YARN-2528: ------------------------------------- Summary: Cross Origin Filter Http response split vulnerability protection rejects valid origins Key: YARN-2528 URL: https://issues.apache.org/jira/browse/YARN-2528 Project: Hadoop YARN Issue Type: Sub-task Components: timelineserver Reporter: Jonathan Eagles Assignee: Jonathan Eagles
URLEncoding is too strong of a protection for HTTP Response Split Vulnerability protection and major browser reject the encoded Origin. An adequate protection is simply to remove all CRs LFs as in the case of PHP's header function. -- This message was sent by Atlassian JIRA (v6.3.4#6332)