Github user krishna-pandey commented on the issue:
https://github.com/apache/spark/pull/19419
@rxin , @srowen I think we can enable X-XSS-Protection and
X-Content-Type-Options response header by default. STS Header can be left
configurable or enabled by default when Spark UI is running on HTTPS.
**Word of caution**: When X-Content-Type-Options response HTTP header is
set to "nosniff", it will block a request if the requested type is "style" and
the MIME type is not "text/css", or when requested type is "script" and the
MIME type is not a JavaScript MIME type.
---
---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscr...@spark.apache.org
For additional commands, e-mail: reviews-h...@spark.apache.org
