Uploaded image for project: 'HBase'
  1. HBase
  2. HBASE-14148

Web UI Framable Page

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Closed
    • Major
    • Resolution: Fixed
    • None
    • 1.2.0, 1.3.0, 2.0.0
    • security, UI
    • None
    • Hide
      Security fix: Adds protection from clickjacking using X-Frame-Options header.
      This will prevent use of HBase UI in frames. To disable this feature, set the configuration 'hbase.http.filter.xframeoptions.mode' to 'ALLOW' (default is 'DENY').
      Show
      Security fix: Adds protection from clickjacking using X-Frame-Options header. This will prevent use of HBase UI in frames. To disable this feature, set the configuration 'hbase.http.filter.xframeoptions.mode' to 'ALLOW' (default is 'DENY').

    Description

      The web UIs do not include the "X-Frame-Options" header to prevent the pages from being framed from another site.

      Reference:
      https://www.owasp.org/index.php/Clickjacking
      https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet
      https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options

      Attachments

        1. HBASE-14148-master.patch
          8 kB
          Apekshit Sharma
        2. HBASE-14148-v2-master.patch
          10 kB
          Apekshit Sharma
        3. HBASE-14148-v3-master.patch
          11 kB
          Apekshit Sharma
        4. HBASE-14148-cleanroom.1.patch
          5 kB
          Gabor Liptak
        5. HBASE-14148-cleanroom.2.patch
          6 kB
          Gabor Liptak
        6. HBASE-14148-cleanroom.3.patch
          6 kB
          Gabor Liptak

        Activity

          People

            gliptak Gabor Liptak
            appy Apekshit Sharma
            Votes:
            0 Vote for this issue
            Watchers:
            10 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: