Elek, Marton created HDFS-12693: ----------------------------------- Summary: Ozone: Enable XFrame options for KSM/SCM web ui Key: HDFS-12693 URL: https://issues.apache.org/jira/browse/HDFS-12693 Project: Hadoop HDFS Issue Type: Sub-task Components: ozone Affects Versions: HDFS-7240 Reporter: Elek, Marton Assignee: Elek, Marton
According to the discussion about security checklist on dev list I started to check the security features of the existing HttpServer2 and found that by default the XFrame option headers are disabled. This patch enables it by default for SCM/KSM server similar to the Namenode/Datanode webui. (Note: Even if the only form on the SCM/KSM ui-s is the standard LogLevel form, I think it's a good practice to enable it by default.) Test: Without the patch (clean build, SCM ui): {code} curl -v localhost:9876/jmx -o /dev/null * TCP_NODELAY set * Connected to localhost (::1) port 9876 (#0) > GET /jmx HTTP/1.1 > Host: localhost:9876 > User-Agent: curl/7.55.1 > Accept: */* > < HTTP/1.1 200 OK < Date: Sat, 21 Oct 2017 19:54:43 GMT < Cache-Control: no-cache < Expires: Sat, 21 Oct 2017 19:54:43 GMT < Date: Sat, 21 Oct 2017 19:54:43 GMT < Pragma: no-cache < Content-Type: application/json; charset=utf8 < Access-Control-Allow-Methods: GET < Access-Control-Allow-Origin: * < Transfer-Encoding: chunked {code} With the patch: {code} curl -v localhost:9876/jmx -o /dev/null * Connected to localhost (::1) port 9876 (#0) > GET /jmx HTTP/1.1 > Host: localhost:9876 > User-Agent: curl/7.55.1 > Accept: */* > < HTTP/1.1 200 OK < Date: Sat, 21 Oct 2017 19:55:07 GMT < Cache-Control: no-cache < Expires: Sat, 21 Oct 2017 19:55:07 GMT < Date: Sat, 21 Oct 2017 19:55:07 GMT < Pragma: no-cache < Content-Type: application/json; charset=utf8 < X-FRAME-OPTIONS: SAMEORIGIN < Access-Control-Allow-Methods: GET < Access-Control-Allow-Origin: * < Transfer-Encoding: chunked {code} Note: X-FRAME-OPTIONS header exists at the second case. -- This message was sent by Atlassian JIRA (v6.4.14#64029) --------------------------------------------------------------------- To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org