[ https://issues.apache.org/jira/browse/YARN-10833?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Benjamin Teke updated YARN-10833: --------------------------------- Attachment: YARN-10833.002.patch > RM logs endpoint vulnerable to clickjacking > ------------------------------------------- > > Key: YARN-10833 > URL: https://issues.apache.org/jira/browse/YARN-10833 > Project: Hadoop YARN > Issue Type: Bug > Reporter: Benjamin Teke > Assignee: Benjamin Teke > Priority: Major > Attachments: YARN-10833.001.patch, YARN-10833.002.patch > > > The /logs endpoint is missing the X-FRAME-OPTIONS in the response header, > even though YARN is configured to do include it. This makes it vulnerable to > clickjacking. > {code:java} > Request URL: http://{{rm_host}}:8088/logs/ > Request Method: GET > Status Code: 200 OK > Remote Address: [::1]:8088 > Referrer Policy: strict-origin-when-cross-origin > HTTP/1.1 200 OK > Date: Fri, 25 Jun 2021 17:38:38 GMT > Cache-Control: no-cache > Expires: Fri, 25 Jun 2021 17:38:38 GMT > Date: Fri, 25 Jun 2021 17:38:38 GMT > Pragma: no-cache > Content-Type: text/html;charset=utf-8 > X-Content-Type-Options: nosniff > X-XSS-Protection: 1; mode=block > Content-Length: 469 > {code} -- This message was sent by Atlassian Jira (v8.3.4#803005) --------------------------------------------------------------------- To unsubscribe, e-mail: yarn-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-issues-h...@hadoop.apache.org