Thanks Paul. Filed DRILL-7351 for this.
It's worth noting that hosting a web app (such as the Drill web UI) does
not prevent CSRF attacks as a malicious web site can still attempt to call
into private/non-public websites (eg. from Javascript in the browser), it
may not get access to the reply but
Don Perial created DRILL-7351:
-
Summary: WebUI is Vulnerable to CSRF
Key: DRILL-7351
URL: https://issues.apache.org/jira/browse/DRILL-7351
Project: Apache Drill
Issue Type: Bug
Hi Don,
The one saving grace is that no one should ever host the Drill web UI on a
public-facing web site. The UI provides lots of admin operations that one would
not really want to expose openly.
A much better solution would be to wrap Drill in a custom-made web app that
controls what
It seems that there is no way to protect the WebUI from CSRF and the fact
that the value for the access-control-allow-origin header is '*' appears to
confound this issue as well. I have searched the documentation and also did
quite a bit of Googling but have not seen any references to this. Is
