[ https://issues.apache.org/jira/browse/HADOOP-12691?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15103220#comment-15103220 ]
Larry McCay commented on HADOOP-12691: -------------------------------------- Yikes - is that a result of my patch being rooted at the wrong place? > Add CSRF Filter for REST APIs to Hadoop Common > ---------------------------------------------- > > Key: HADOOP-12691 > URL: https://issues.apache.org/jira/browse/HADOOP-12691 > Project: Hadoop Common > Issue Type: New Feature > Components: security > Reporter: Larry McCay > Assignee: Larry McCay > Fix For: 2.9.0 > > Attachments: CSRFProtectionforRESTAPIs.pdf, HADOOP-12691-001.patch, > HADOOP-12691-002.patch, HADOOP-12691-003.patch > > > CSRF prevention for REST APIs can be provided through a common servlet > filter. This filter would check for the existence of an expected > (configurable) HTTP header - such as X-XSRF-Header. > The fact that CSRF attacks are entirely browser based means that the above > approach can ensure that requests are coming from either: applications served > by the same origin as the REST API or that there is explicit policy > configuration that allows the setting of a header on XmlHttpRequest from > another origin. -- This message was sent by Atlassian JIRA (v6.3.4#6332)