Jonathan Eagles commented on YARN-2528:

[~zjshen], sorry to bother you again. Found another bug while working on 
getting the Tez UI running in a hosted environment. Can you give a review?

> Cross Origin Filter Http response split vulnerability protection rejects 
> valid origins
> --------------------------------------------------------------------------------------
>                 Key: YARN-2528
>                 URL: https://issues.apache.org/jira/browse/YARN-2528
>             Project: Hadoop YARN
>          Issue Type: Sub-task
>          Components: timelineserver
>            Reporter: Jonathan Eagles
>            Assignee: Jonathan Eagles
>         Attachments: YARN-2528-v1.patch
> URLEncoding is too strong of a protection for HTTP Response Split 
> Vulnerability protection and major browser reject the encoded Origin. An 
> adequate protection is simply to remove all CRs LFs as in the case of PHP's 
> header function.

This message was sent by Atlassian JIRA

Reply via email to