[
https://issues.apache.org/jira/browse/HADOOP-13008?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15234305#comment-15234305
]
Larry McCay commented on HADOOP-13008:
--------------------------------------
So the following config would turn on XFS protection and set the global value
to DENY - not setting the value would also since it is the default:
{code}
hadoop.security.xframe-options-enabled=true
hadoop.security.xframe-options=DENY
{code}
The following additional config would override the value:
{code}
dfs.security.namenode.xframe-options=SAMEORIGIN
{code}
The filter initializer for HDFS would need to check whether it was enabled and
if so what the global value is.
Then check and see whether it is overridden by a dfs specific property.
No configured value for either would result in DENY whenever the filter is
enabled.
> Add XFS Filter for UIs to Hadoop Common
> ---------------------------------------
>
> Key: HADOOP-13008
> URL: https://issues.apache.org/jira/browse/HADOOP-13008
> Project: Hadoop Common
> Issue Type: New Feature
> Components: security
> Reporter: Larry McCay
> Assignee: Larry McCay
> Fix For: 2.8.0
>
>
> Cross Frame Scripting (XFS) prevention for UIs can be provided through a
> common servlet filter. This filter will set the X-Frame-Options HTTP header
> to DENY unless configured to another valid setting.
> There are a number of UIs that could just add this to their filters as well
> as the Yarn webapp proxy which could add it for all it's proxied UIs - if
> appropriate.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
