[
https://issues.apache.org/jira/browse/MESOS-5219?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15249981#comment-15249981
]
Neil Conway commented on MESOS-5219:
------------------------------------
[~dlaidlaw] -- thanks for the report. I'm not very familiar with XSS attacks or
click jacking -- can you describe a hypothetical scenario in which Mesos would
be involved in such an attack, and how the headers you suggest adding would
prevent the attack?
> Add security headers to HTTP response
> -------------------------------------
>
> Key: MESOS-5219
> URL: https://issues.apache.org/jira/browse/MESOS-5219
> Project: Mesos
> Issue Type: Improvement
> Components: HTTP API
> Reporter: Don Laidlaw
>
> Cross site scripting and click jacking are major concerns. Many issues can be
> resolved by setting some headers in the HTTP responses for the user interface
> and rest responses for both the master and slave processes.
> X-Frame-Options: Can be set to deny, sameorigin, or allow-from <uri>
> X-XSS-Protection: 1; mode=block
> These would go a long way to making sites using mesos more secure. Note that
> the user exploiting attacks does not need to have access to the mesos hosts,
> they are attacked through a user's web browser. So if the user can connect to
> both mesos and the internet, it is an issue.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
