[
https://issues.apache.org/jira/browse/YARN-7338?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16208739#comment-16208739
]
Sunil G commented on YARN-7338:
-------------------------------
Thanks [~eyang] for sharing more points here.
{noformat}
Request URL:https://tags.tiqcdn.com/utag/bofa/main/prod/utag.js
Request Method:GET
Status Code:200
Remote Address:104.121.229.167:443
Referrer Policy:no-referrer-when-downgrade
{noformat}
Response Headers
{noformat}
accept-ranges:bytes
cache-control:max-age=300
content-encoding:gzip
content-length:27343
content-type:application/x-javascript
date:Wed, 18 Oct 2017 02:17:54 GMT
etag:"bc10f1dc838dfe4d03f3e9d5c204f760:1506620434"
expires:Wed, 18 Oct 2017 02:22:54 GMT
last-modified:Thu, 28 Sep 2017 17:40:34 GMT
server:Apache
status:200
vary:Accept-Encoding
{noformat}
When I referred various static contents from BOA or other sites, I saw mostly
responses like above. But the link which u shared has
{{Access-Control-Allow-Credentials:true}}. I am not sure why this is not there
for all pages. please correct me if I missed some other headers here.
I am tying to phrase the potential security threat model explained by you.
# Third party js libs used to compile some *.js* files of ui2 has harmful
contents.
# UI2 browser end point downloads whole contents from server to its cache.
# This content is hence in client end (NOT at server end). Could this impact
the REST response coming from NM or RM which is already protected by XFS and
other filters?
I am also in line with you where we have to protect contents before getting any
issue. I checked code and there is a way which this filters could be added.
However this detailed discussion will help folks to re-iterate on real reason
why static contents needs cors protection as few statics were not protected in
general.
> Support same origin policy for cross site scripting prevention.
> ---------------------------------------------------------------
>
> Key: YARN-7338
> URL: https://issues.apache.org/jira/browse/YARN-7338
> Project: Hadoop YARN
> Issue Type: Sub-task
> Components: yarn-ui-v2
> Reporter: Vrushali C
>
> Opening jira as suggested b [~eyang] on the thread for merging YARN-3368 (new
> web UI) to branch2
> http://mail-archives.apache.org/mod_mbox/hadoop-yarn-dev/201610.mbox/%3ccad++ecmvvqnzqz9ynkvkcxaczdkg50yiofxktgk3mmms9sh...@mail.gmail.com%3E
> ----------
> Ui2 does not seem to support same origin policy for cross site scripting
> prevention.
> The following parameters has no effect for /ui2:
> hadoop.http.cross-origin.enabled = true
> yarn.resourcemanager.webapp.cross-origin.enabled = true
> This is because ui2 is designed as a separate web application. WebFilters
> setup for existing resource manager doesn’t apply to the new web application.
> Please open JIRA to track the security issue and resolve the problem prior to
> backporting this to branch-2.
> This would minimize the risk to open up security hole in branch-2.
> ----------
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
