[ https://issues.apache.org/jira/browse/HBASE-15187?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15163277#comment-15163277 ]
stack commented on HBASE-15187: ------------------------------- Answer my questions [~ted_yu] please. They are simple enough. I think I know what the answers are but am asking you since you are the one hauling in the patch. I started reading your citations but it just made me want to ask more questions (Chris describes NN attack which made me wonder what the equivalent CSRF attack vector in hbase would look like -- do you know? Stick it in the description if you do... the design doc talks about REST but why are our other servlets not also vulnerable -- the OWASP page you cite doesn't say anything about REST-only?) The pointer to HBASE-15122 is immediately about XSS but I was referring to the fact that it pulls in the OWASP library which seems well conversant with CSRF attacks (going by the page you cite). I mentioned HBASE-15122 because I was wondering the OWASP library has tooling to help with CSRF (It seems like no magic bullet, just a bunch of policy to be applied -- but I was asking you). > Integrate CSRF prevention filter to REST gateway > ------------------------------------------------ > > Key: HBASE-15187 > URL: https://issues.apache.org/jira/browse/HBASE-15187 > Project: HBase > Issue Type: Bug > Reporter: Ted Yu > Assignee: Ted Yu > Attachments: HBASE-15187.v1.patch, HBASE-15187.v2.patch, > HBASE-15187.v3.patch, HBASE-15187.v4.patch, HBASE-15187.v5.patch, > HBASE-15187.v6.patch, HBASE-15187.v7.patch, HBASE-15187.v8.patch > > > HADOOP-12691 introduced a filter in Hadoop Common to help REST APIs guard > against cross-site request forgery attacks. > This issue tracks the integration of that filter into HBase REST gateway. -- This message was sent by Atlassian JIRA (v6.3.4#6332)