[jira] [Commented] (HADOOP-13008) Add XFS Filter for UIs to Hadoop Common

Wed, 18 May 2016 09:52:10 -0700 

    [ 
https://issues.apache.org/jira/browse/HADOOP-13008?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15289297#comment-15289297
 ] 

Larry McCay commented on HADOOP-13008:
--------------------------------------

[~vvasudev] - Thank you for bring this to my attention!

This effort was certainly not intended to duplicate any other work - in fact, I 
went to some length to make sure that I didn't do so with HADOOP-12234.

I was unaware of the inner QuotingInputFilter class within HttpServer2 or the 
fact that it also adds X-Frame-Options.

The fact that it is baked into the HttpServer2 class rather than commonly 
available for anyone to use and that it doesn't separate the responsibility for 
XFS make that filter less reusable by the overall ecosystem.

My inclination is to refactor the functionality in QuotingIinputFilter out into 
a generic XSS filter that can be reused by others and to integrate with it and 
the common XFS filter rather than relying on HttpServer2 specific filters.

Thoughts?

> Add XFS Filter for UIs to Hadoop Common
> ---------------------------------------
>
>                 Key: HADOOP-13008
>                 URL: https://issues.apache.org/jira/browse/HADOOP-13008
>             Project: Hadoop Common
>          Issue Type: New Feature
>          Components: security
>            Reporter: Larry McCay
>            Assignee: Larry McCay
>             Fix For: 2.8.0
>
>         Attachments: HADOOP-13008-001.patch, HADOOP-13008-002.patch, 
> HADOOP-13008-003.patch, HADOOP-13008-004.patch
>
>
> Cross Frame Scripting (XFS) prevention for UIs can be provided through a 
> common servlet filter. This filter will set the X-Frame-Options HTTP header 
> to DENY unless configured to another valid setting.
> There are a number of UIs that could just add this to their filters as well 
> as the Yarn webapp proxy which could add it for all it's proxied UIs - if 
> appropriate.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

Reply via email to