[
https://issues.apache.org/jira/browse/HADOOP-13008?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15234291#comment-15234291
]
Larry McCay commented on HADOOP-13008:
--------------------------------------
Like the RestCsrfPreventionFilter config, I plan to enable individual
integration points/webapps to configure the specific value that they want to
set as the X-Frame-Options header. It may be that some webapps intend some
pages to be embedded in a frame that is served from the same origin. In which
case, they could set the configuration property component.prefix.xframe-options
to SAMEORIGIN rather than accept the default/global setting.
In order to do this we should probably check for configuration for the value
with two separate prefixes. One for the global setting/prefix and one for the
integration specific prefix and override the global value with the component
specific value.
Current thinking is to block the headers from being set by the component
itself. Perhaps, this should be config driven. Something like
allow.component.overrides?
> Add XFS Filter for UIs to Hadoop Common
> ---------------------------------------
>
> Key: HADOOP-13008
> URL: https://issues.apache.org/jira/browse/HADOOP-13008
> Project: Hadoop Common
> Issue Type: New Feature
> Components: security
> Reporter: Larry McCay
> Assignee: Larry McCay
> Fix For: 2.8.0
>
>
> Cross Frame Scripting (XFS) prevention for UIs can be provided through a
> common servlet filter. This filter will set the X-Frame-Options HTTP header
> to DENY unless configured to another valid setting.
> There are a number of UIs that could just add this to their filters as well
> as the Yarn webapp proxy which could add it for all it's proxied UIs - if
> appropriate.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
