Hi Don, The one saving grace is that no one should ever host the Drill web UI on a public-facing web site. The UI provides lots of admin operations that one would not really want to expose openly.
A much better solution would be to wrap Drill in a custom-made web app that controls what someone can do; the same way that a DB is exposed via a custom app, not by a public-facing PhpMyAdmin... Still, this should be fixed. Please file a JIRA with your findings. Thanks, - Paul On Thursday, August 15, 2019, 8:33:19 PM PDT, Don Perial <perial...@gmail.com> wrote: It seems that there is no way to protect the WebUI from CSRF and the fact that the value for the access-control-allow-origin header is '*' appears to confound this issue as well. I have searched the documentation and also did quite a bit of Googling but have not seen any references to this. Is this known and/or intended behavior? The attached file should demonstrate the (elementary) attack. Thanks In advance, P