[ https://issues.apache.org/jira/browse/HADOOP-15457?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16478237#comment-16478237 ]
Robert Kanter commented on HADOOP-15457: ---------------------------------------- A few more comments, and then I think we're good to go: # Now that {{xFrameParams}} is seeded by {{setHeaders}}, we can do a little more cleanup by having {{setHeaders}} simply return the {{Map}} instead of having the caller create the {{Map}} and {{setHeaders}} returning it by reference. # {{X_FRAME_ENABLED}} is no longer used and can be deleted. # {{QuotingInputFilter#doFilter}} will be called on every request, so {{addHeaders}}, which is iterating through a bunch of configs and doing regex pattern matching, will be called on every request. I think we should move that to {{QuotingInputFilter#init}} and populate a map; we can then simply add the headers in {{QuotingInputFilter#doFilter}}, which will be faster. # In your tests, the first argument to {{assertEquals}} (and similar) is the expected value and the second argument is the actual value. The ones where you're using {{getHeaderField}} are therefore reversed. For example, it should be: {code:java} assertEquals(HttpServer2.X_XSS_PROTECTION.split(":")[1], conn.getHeaderField(HttpServer2.X_XSS_PROTECTION.split(":")[0])); {code} # {{System.out.println("printing:"+conn.getHeaderField(HttpServer2.X_XSS_PROTECTION));}} is unnecessary. The {{assert}} statements will print out the value if they fail # The {{assertNotEquals}} is redundant. The subsequent {{assertEquals}} handles it (and is stricter). > Add Security-Related HTTP Response Header in WEBUIs. > ---------------------------------------------------- > > Key: HADOOP-15457 > URL: https://issues.apache.org/jira/browse/HADOOP-15457 > Project: Hadoop Common > Issue Type: Improvement > Reporter: Kanwaljeet Sachdev > Assignee: Kanwaljeet Sachdev > Priority: Major > Labels: security > Attachments: HADOOP-15457.001.patch, HADOOP-15457.002.patch, > YARN-8198.001.patch, YARN-8198.002.patch, YARN-8198.003.patch, > YARN-8198.004.patch, YARN-8198.005.patch > > > As of today, YARN web-ui lacks certain security related http response > headers. We are planning to add few default ones and also add support for > headers to be able to get added via xml config. Planning to make the below > two as default. > * X-XSS-Protection: 1; mode=block > * X-Content-Type-Options: nosniff > > Support for headers via config properties in core-site.xml will be along the > below lines > {code:java} > <property> > <name>hadoop.http.header.Strict_Transport_Security</name> > <value>valHSTSFromXML</value> > </property>{code} > > A regex matcher will lift these properties and add into the response header > when Jetty prepares the response. -- This message was sent by Atlassian JIRA (v7.6.3#76005) --------------------------------------------------------------------- To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: common-issues-h...@hadoop.apache.org