[HBASE-14148] Web UI Framable Page - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 1.2.0, 1.3.0, 2.0.0
Component/s: security, UI
Labels:
None

Release Note:

Hide
Security fix: Adds protection from clickjacking using X-Frame-Options header.
This will prevent use of HBase UI in frames. To disable this feature, set the configuration 'hbase.http.filter.xframeoptions.mode' to 'ALLOW' (default is 'DENY').

Show
Security fix: Adds protection from clickjacking using X-Frame-Options header. This will prevent use of HBase UI in frames. To disable this feature, set the configuration 'hbase.http.filter.xframeoptions.mode' to 'ALLOW' (default is 'DENY').

Description

The web UIs do not include the "X-Frame-Options" header to prevent the pages from being framed from another site.

Reference:
https://www.owasp.org/index.php/Clickjacking
https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet
https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options

Attachments

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

HBASE-14148-v3-master.patch
24/Jul/15 19:36
11 kB
Apekshit Sharma
HBASE-14148-v2-master.patch
23/Jul/15 19:33
10 kB
Apekshit Sharma
HBASE-14148-master.patch
22/Jul/15 23:37
8 kB
Apekshit Sharma
HBASE-14148-cleanroom.3.patch
02/Aug/15 00:31
6 kB
Gabor Liptak
HBASE-14148-cleanroom.2.patch
01/Aug/15 21:51
6 kB
Gabor Liptak
HBASE-14148-cleanroom.1.patch
01/Aug/15 17:54
5 kB
Gabor Liptak

Activity

People

Assignee:: Gabor Liptak

Reporter:: Apekshit Sharma

Votes:: 0 Vote for this issue

Watchers:: 10 Start watching this issue

Dates

Created:: 22/Jul/15 23:32

Updated:: 01/Jul/22 20:43

Resolved:: 20/Aug/15 02:45