[ https://issues.apache.org/jira/browse/HADOOP-13008?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15234291#comment-15234291 ]
Larry McCay commented on HADOOP-13008: -------------------------------------- Like the RestCsrfPreventionFilter config, I plan to enable individual integration points/webapps to configure the specific value that they want to set as the X-Frame-Options header. It may be that some webapps intend some pages to be embedded in a frame that is served from the same origin. In which case, they could set the configuration property component.prefix.xframe-options to SAMEORIGIN rather than accept the default/global setting. In order to do this we should probably check for configuration for the value with two separate prefixes. One for the global setting/prefix and one for the integration specific prefix and override the global value with the component specific value. Current thinking is to block the headers from being set by the component itself. Perhaps, this should be config driven. Something like allow.component.overrides? > Add XFS Filter for UIs to Hadoop Common > --------------------------------------- > > Key: HADOOP-13008 > URL: https://issues.apache.org/jira/browse/HADOOP-13008 > Project: Hadoop Common > Issue Type: New Feature > Components: security > Reporter: Larry McCay > Assignee: Larry McCay > Fix For: 2.8.0 > > > Cross Frame Scripting (XFS) prevention for UIs can be provided through a > common servlet filter. This filter will set the X-Frame-Options HTTP header > to DENY unless configured to another valid setting. > There are a number of UIs that could just add this to their filters as well > as the Yarn webapp proxy which could add it for all it's proxied UIs - if > appropriate. -- This message was sent by Atlassian JIRA (v6.3.4#6332)