Hi John, > I guess my question is whether this should be reported as a bug/vulnerability
No, it is not a security vulnerability. Ambari-UI is trying to resize itself to fit the size of its view-UI... that is the only thing that will be broken. It breaks in your case because Ambari-UI from one domain is trying to look into UI of another domain (Job History server). It was not designed to contain content from other domains. So basically what we are saying is that the iframe should only contain content from ambari-server's domain for it to work properly. > If I were to put the link within the body tag (not in the bootstrap table), > it does not follow the link I do not think it should matter where the link is in the document hierarchy... it should behave the same way. Maybe there is something else happening when it is at a different location Hope that helps. Regards, Srimanth ? ________________________________ From: John.Bork <[email protected]> Sent: Tuesday, March 24, 2015 6:56 AM To: [email protected] Subject: RE: Ambari Views Error That is what I am doing now. I guess my question is whether this should be reported as a bug/vulnerability because it still follows the link in this setup, which like you said is a security vulnerability. If I were to put the link within the body tag (not in the bootstrap table), it does not follow the link. I feel that this is what should happen when it is in the bootstrap table rather than still following the link and changing the iframe height. - John From: Srimanth Gunturi [mailto:[email protected]] Sent: Monday, March 23, 2015 4:36 PM To: [email protected] Subject: Re: Ambari Views Error Hi John, It is generally intended that the views-area of Ambari-Web UI will show only views. Attempting to show some other website in there will result in Ambari-Web hitting security exception (as you have), due to ambari-web javascript trying to change some other website - https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy It might be better to open your Job link in another window/tab using 'target="_blank"'. Regards, Srimanth ________________________________ From: John.Bork <[email protected]<mailto:[email protected]>> Sent: Monday, March 23, 2015 2:20 PM To: [email protected]<mailto:[email protected]> Subject: Ambari Views Error Hi, I am developing a Ambari View in which one component of it is to provide links to jobs on the Job History Server. When the link is clicked, the iframe that held the view now goes to the Job History Server and throws the following error in the browser console. Uncaught SecurityError: Blocked a frame with origin <Ambari View> from accessing a frame with origin <Job History Server> Protocols, domains, and ports must match. step9_view.js:1 App.MainViewsDetailsView.Em.View.extend.resizeFunction step9_view.js:1 (anonymous function) The link is inserted into a bootstrap tblflat element row from which it can be clicked. Also, after the link is clicked and the iframe opens the Job History Server, the iFrame height attribute is set to auto which causes the height to shrink between 100 and 200 pixels. Is this the correct action, or should the iframe be prevented from following the link in the first place? What is the expected behavior? - John Bork
