[
https://issues.apache.org/jira/browse/MESOS-5918?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15987624#comment-15987624
]
Anand Mazumdar commented on MESOS-5918:
---------------------------------------
We intend to move the Web UI eventually to use the v1 Operator API. When that
happens, we won't be able to use jsonp at all owing to not being able to use
{{POST}} requests. Based on previous discussions with UI folks, we did not want
to use CORS due to security implications. Instead, the plan was to expose an
endpoint on the master that would proxy requests to the agent (e.g.,
{{/forward}}). The endpoint would still be guarded by AuthN.
See MESOS-5735 for more context.
> Replace jsonp with a more secure alternative
> --------------------------------------------
>
> Key: MESOS-5918
> URL: https://issues.apache.org/jira/browse/MESOS-5918
> Project: Mesos
> Issue Type: Improvement
> Components: webui
> Reporter: Yan Xu
>
> We currently use the {{jsonp}} technique to bypass CORS check. This practice
> has many security concerns (see discussions on MESOS-5911) so we should
> replace it with a better alternative.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
