[ https://issues.apache.org/jira/browse/HADOOP-13008?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15234305#comment-15234305 ]
Larry McCay commented on HADOOP-13008: -------------------------------------- So the following config would turn on XFS protection and set the global value to DENY - not setting the value would also since it is the default: {code} hadoop.security.xframe-options-enabled=true hadoop.security.xframe-options=DENY {code} The following additional config would override the value: {code} dfs.security.namenode.xframe-options=SAMEORIGIN {code} The filter initializer for HDFS would need to check whether it was enabled and if so what the global value is. Then check and see whether it is overridden by a dfs specific property. No configured value for either would result in DENY whenever the filter is enabled. > Add XFS Filter for UIs to Hadoop Common > --------------------------------------- > > Key: HADOOP-13008 > URL: https://issues.apache.org/jira/browse/HADOOP-13008 > Project: Hadoop Common > Issue Type: New Feature > Components: security > Reporter: Larry McCay > Assignee: Larry McCay > Fix For: 2.8.0 > > > Cross Frame Scripting (XFS) prevention for UIs can be provided through a > common servlet filter. This filter will set the X-Frame-Options HTTP header > to DENY unless configured to another valid setting. > There are a number of UIs that could just add this to their filters as well > as the Yarn webapp proxy which could add it for all it's proxied UIs - if > appropriate. -- This message was sent by Atlassian JIRA (v6.3.4#6332)