[
https://issues.apache.org/jira/browse/YARN-7338?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16208131#comment-16208131
]
Eric Yang commented on YARN-7338:
---------------------------------
[~sunilg] It is very important to have CORS header included for Javascript, if
javascript is utilizing third party libraries. In ui2 case, it downloads a
number of third party javascript libraries during build time. Third party
javascript libraries has potential to enable hacker to trigger unexpected
javascript calls to leak information to other servers. CORS header will help
to ground the communication between browser and servers to the same origin.
Here is an example of Bank of America website javascript.
Request
{code}
Request URL:https://aero.bankofamerica.com/30306/I3n.js
Request Method:GET
Status Code:200 OK
Remote Address:123.123.123.123:443
Referrer Policy:no-referrer-when-downgrade
{code}
Response Headers
{code}
Access-Control-Allow-Credentials:true
Access-Control-Allow-Methods:GET, OPTIONS
Access-Control-Allow-Origin:https://www.bankofamerica.com
Cache-Control:no-cache, no-store, must-revalidate
Connection:keep-alive
Content-Encoding:gzip
Content-Type:application/x-javascript
Date:Tue, 17 Oct 2017 18:22:23 GMT
{code}
There is Access-Control-Allow-Origin header being sent from server.
It is best to start the leak prevention before mistake is made.
> Support same origin policy for cross site scripting prevention.
> ---------------------------------------------------------------
>
> Key: YARN-7338
> URL: https://issues.apache.org/jira/browse/YARN-7338
> Project: Hadoop YARN
> Issue Type: Sub-task
> Components: yarn-ui-v2
> Reporter: Vrushali C
>
> Opening jira as suggested b [~eyang] on the thread for merging YARN-3368 (new
> web UI) to branch2
> http://mail-archives.apache.org/mod_mbox/hadoop-yarn-dev/201610.mbox/%3ccad++ecmvvqnzqz9ynkvkcxaczdkg50yiofxktgk3mmms9sh...@mail.gmail.com%3E
> ----------
> Ui2 does not seem to support same origin policy for cross site scripting
> prevention.
> The following parameters has no effect for /ui2:
> hadoop.http.cross-origin.enabled = true
> yarn.resourcemanager.webapp.cross-origin.enabled = true
> This is because ui2 is designed as a separate web application. WebFilters
> setup for existing resource manager doesn’t apply to the new web application.
> Please open JIRA to track the security issue and resolve the problem prior to
> backporting this to branch-2.
> This would minimize the risk to open up security hole in branch-2.
> ----------
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
