[ https://issues.apache.org/jira/browse/YARN-2528?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14127592#comment-14127592 ]
Jonathan Eagles commented on YARN-2528: --------------------------------------- [~zjshen], sorry to bother you again. Found another bug while working on getting the Tez UI running in a hosted environment. Can you give a review? > Cross Origin Filter Http response split vulnerability protection rejects > valid origins > -------------------------------------------------------------------------------------- > > Key: YARN-2528 > URL: https://issues.apache.org/jira/browse/YARN-2528 > Project: Hadoop YARN > Issue Type: Sub-task > Components: timelineserver > Reporter: Jonathan Eagles > Assignee: Jonathan Eagles > Attachments: YARN-2528-v1.patch > > > URLEncoding is too strong of a protection for HTTP Response Split > Vulnerability protection and major browser reject the encoded Origin. An > adequate protection is simply to remove all CRs LFs as in the case of PHP's > header function. -- This message was sent by Atlassian JIRA (v6.3.4#6332)