[
https://issues.apache.org/jira/browse/YARN-5076?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15288957#comment-15288957
]
Varun Vasudev commented on YARN-5076:
-------------------------------------
I think of a few cases around Ambari for example which may want to embed the RM
UI but not the NM or ATS. In that case we want only the RM to have the XFS
options set to SAMEORIGIN but the rest to DENY.
> YARN web interfaces lack XFS protection
> ---------------------------------------
>
> Key: YARN-5076
> URL: https://issues.apache.org/jira/browse/YARN-5076
> Project: Hadoop YARN
> Issue Type: Bug
> Components: nodemanager, resourcemanager, timelineserver
> Reporter: Jonathan Maron
> Assignee: Jonathan Maron
> Attachments: YARN-5076.002.patch
>
> Original Estimate: 48h
> Remaining Estimate: 48h
>
> There are web interfaces in YARN that do not provide protection against cross
> frame scripting
> (https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet).
> HADOOP-13008 provides a common filter for addressing this vulnerability, so
> this filter should be integrated into the YARN web interfaces.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
