Jonathan Eagles created YARN-2528:

             Summary: Cross Origin Filter Http response split vulnerability 
protection rejects valid origins
                 Key: YARN-2528
             Project: Hadoop YARN
          Issue Type: Sub-task
          Components: timelineserver
            Reporter: Jonathan Eagles
            Assignee: Jonathan Eagles

URLEncoding is too strong of a protection for HTTP Response Split Vulnerability 
protection and major browser reject the encoded Origin. An adequate protection 
is simply to remove all CRs LFs as in the case of PHP's header function.

This message was sent by Atlassian JIRA

Reply via email to