[Impala-ASF-CR] IMPALA-11078 Add simple CSP header to webui.

Fri, 21 Jan 2022 12:09:46 -0800 

Hello Impala Public Jenkins,

I'd like you to reexamine a change. Please visit

    http://gerrit.cloudera.org:8080/18168

to look at the new patch set (#3).

Change subject: IMPALA-11078 Add simple CSP header to webui.
......................................................................

IMPALA-11078 Add simple CSP header to webui.

Content Security Policy (CSP) is a computer security standard designed
to prevent cross-site scripting, clickjacking and other code injection
attacks. CSP provides a method for websites to declare approved origins
of content that browsers should be allowed to load on that website.
A good resource is https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
If a page breaks the rules then the included script or css will
typically not be run by the browser.

In the Impala webui we use a CSP header to declare that all web content
comes from the impalad, with some 'unsafe' inline code.

A new server flag "--disable_content_security_policy_header=true" can be
set to disable the emission of this header in case of any compatibility
issues.

A few small changes were needed to make this CDP header work. Chart.js
was previously included via http, this was changed to being bundled
like other javascript and css we use. Some dodgy array code that
handles connection metrics was also fixed.

TESTING:
  The main webui tests all now validate the CDP header is present.
  A test for the new flag is also added.

Change-Id: Idc335d65b117661da0b420ddb7c9ccd80d8d76ab
---
M be/src/util/webserver.cc
M tests/custom_cluster/test_web_pages.py
M tests/webserver/test_web_pages.py
A www/Chart-2.7.3.min.js
M www/admission_controller.tmpl
M www/rpcz.tmpl
6 files changed, 62 insertions(+), 24 deletions(-)


  git pull ssh://gerrit.cloudera.org:29418/Impala-ASF refs/changes/68/18168/3
--
To view, visit http://gerrit.cloudera.org:8080/18168
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-MessageType: newpatchset
Gerrit-Change-Id: Idc335d65b117661da0b420ddb7c9ccd80d8d76ab
Gerrit-Change-Number: 18168
Gerrit-PatchSet: 3
Gerrit-Owner: Andrew Sherman <asher...@cloudera.com>
Gerrit-Reviewer: Impala Public Jenkins <impala-public-jenk...@cloudera.com>

Reply via email to