[
https://issues.apache.org/jira/browse/YARN-10833?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17371888#comment-17371888
]
Andras Gyori commented on YARN-10833:
-------------------------------------
Thank you [~bteke] for the patch! Altogether it seems good to me, but I have
the following additions:
* xfsConfigPrefix is null in TestWebApp, hence the NPE.
* WebApps#L337 is already calculated once and named xFrameOptions
* This part should also be more resilient to NPEs.
* In TestRMWithXFSFilter I can see that the default behaviour for
X-FRAME-OPTIONS was DENY. Is it an intentional design decision to change it to
SAME-ORIGIN?
> RM logs endpoint vulnerable to clickjacking
> -------------------------------------------
>
> Key: YARN-10833
> URL: https://issues.apache.org/jira/browse/YARN-10833
> Project: Hadoop YARN
> Issue Type: Bug
> Reporter: Benjamin Teke
> Assignee: Benjamin Teke
> Priority: Major
> Attachments: YARN-10833.001.patch
>
>
> The /logs endpoint is missing the X-FRAME-OPTIONS in the response header,
> even though YARN is configured to do include it. This makes it vulnerable to
> clickjacking.
> {code:java}
> Request URL: http://{{rm_host}}:8088/logs/
> Request Method: GET
> Status Code: 200 OK
> Remote Address: [::1]:8088
> Referrer Policy: strict-origin-when-cross-origin
> HTTP/1.1 200 OK
> Date: Fri, 25 Jun 2021 17:38:38 GMT
> Cache-Control: no-cache
> Expires: Fri, 25 Jun 2021 17:38:38 GMT
> Date: Fri, 25 Jun 2021 17:38:38 GMT
> Pragma: no-cache
> Content-Type: text/html;charset=utf-8
> X-Content-Type-Options: nosniff
> X-XSS-Protection: 1; mode=block
> Content-Length: 469
> {code}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org
