[jira] [Commented] (HDFS-10579) HDFS web interfaces lack configs for X-FRAME-OPTIONS protection

Thu, 07 Jul 2016 14:02:31 -0700 

    [ 
https://issues.apache.org/jira/browse/HDFS-10579?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15366764#comment-15366764
 ] 

Haibo Chen commented on HDFS-10579:
-----------------------------------

Thanks [~anu] a lot for working on this! I totally did not notice compatibility 
issues on branch-2. A few comments. 
1)  xFrameOption and xFrameOptionIsEnabled (of HttpServer2) are declared as 
static but used as instance variables. Can you make them non-static? Of course, 
QuotingInputFilter has to be non-static to access them.
2) testHttpResonseContainsXFrameOptions, testHttpResonseContainsDeny and 
testHttpResonseContainsAllowFrom are the same except the x-frame-option config. 
You could have a common method that takes x-frame-option as a parameter and 
does the verification. Then the three test methods can simply call that method 
with different x-frame-option.
3) The patch touches both HttpServer2 which is in COMMON, and HDFS servers. Can 
you create a parent jira against COMMON to make HttpServer2 changes, then 
create a sub task against HDFS of that to make HDFS changes? Other components 
also uses HttpServer2, such as MR. If needed, we could add more subtasks for 
each of the components.

> HDFS web interfaces lack configs for X-FRAME-OPTIONS protection
> ---------------------------------------------------------------
>
>                 Key: HDFS-10579
>                 URL: https://issues.apache.org/jira/browse/HDFS-10579
>             Project: Hadoop HDFS
>          Issue Type: Bug
>          Components: datanode, namenode
>    Affects Versions: 3.0.0-alpha1
>            Reporter: Anu Engineer
>            Assignee: Anu Engineer
>             Fix For: 2.9.0
>
>         Attachments: HDFS-10579.001.patch, HDFS-10579.002.patch
>
>
> This JIRA proposes to extend the work done in HADOOP-12964 and enable a 
> configuration value that enables or disables that option. This JIRA will also 
> add an ability to pick the right x-frame-option, since right now it looks 
> like we have hardcoded that to SAMEORIGIN.
> This allows HDFS to remain backward compatible as required by the branch-2.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org

Reply via email to