[jira] [Commented] (YARN-7338) Support same origin policy for cross site scripting prevention.

Mon, 16 Oct 2017 23:29:25 -0700 

    [ 
https://issues.apache.org/jira/browse/YARN-7338?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16207080#comment-16207080
 ] 

Eric Yang commented on YARN-7338:
---------------------------------

Hi [~sunilg],

If the new UI has ability to view container execution log, then it is possible 
that javascript output in the log cause browser to execute unauthorized cross 
site scripts.

There are two requirements to secure javascript.

# Set document.domain property in javascript
# Set Access-Control-Allow-Origin: http://[hostname]/ws/v1/

The first javascript property is to make sure the javascript only evaluates 
ajax call to the same origin.  The second header is respond by server to ensure 
that access control can only be coming from the same origin.  It is likely that 
Access-Control-Allow-Origin needs to be set to a narrow list of /ws/v1/ prefix 
to be secured.

> Support same origin policy for cross site scripting prevention.
> ---------------------------------------------------------------
>
>                 Key: YARN-7338
>                 URL: https://issues.apache.org/jira/browse/YARN-7338
>             Project: Hadoop YARN
>          Issue Type: Sub-task
>          Components: yarn-ui-v2
>            Reporter: Vrushali C
>
> Opening jira as suggested b [~eyang] on the thread for merging YARN-3368 (new 
> web UI) to branch2  
> http://mail-archives.apache.org/mod_mbox/hadoop-yarn-dev/201610.mbox/%3ccad++ecmvvqnzqz9ynkvkcxaczdkg50yiofxktgk3mmms9sh...@mail.gmail.com%3E
> ----------
> Ui2 does not seem to support same origin policy for cross site scripting 
> prevention.
> The following parameters has no effect for /ui2:
> hadoop.http.cross-origin.enabled = true
> yarn.resourcemanager.webapp.cross-origin.enabled = true
> This is because ui2 is designed as a separate web application.  WebFilters 
> setup for existing resource manager doesn’t apply to the new web application.
> Please open JIRA to track the security issue and resolve the problem prior to 
> backporting this to branch-2.
> This would minimize the risk to open up security hole in branch-2.
> ----------



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org

Reply via email to