It seems that there is no way to protect the WebUI from CSRF and the fact
that the value for the access-control-allow-origin header is '*' appears to
confound this issue as well. I have searched the documentation and also did
quite a bit of Googling but have not seen any references to this. Is this
Hi Don,
The one saving grace is that no one should ever host the Drill web UI on a
public-facing web site. The UI provides lots of admin operations that one would
not really want to expose openly.
A much better solution would be to wrap Drill in a custom-made web app that
controls what someon
Thanks Paul. Filed DRILL-7351 for this.
It's worth noting that hosting a web app (such as the Drill web UI) does
not prevent CSRF attacks as a malicious web site can still attempt to call
into private/non-public websites (eg. from Javascript in the browser), it
may not get access to the reply but
Don Perial created DRILL-7351:
-
Summary: WebUI is Vulnerable to CSRF
Key: DRILL-7351
URL: https://issues.apache.org/jira/browse/DRILL-7351
Project: Apache Drill
Issue Type: Bug