Regarding the note in the doc, I could add it here or HDFS-12381 as a general comment on security and not only about the Web UI.
Adding it to HDFS-12381 is simplest.
XSS isn't quite related to HDFS-12284, so if at all you want to postpone the analysis, would it make sense to file a different JIRA?
Sure, fair enough. Even if "harden the federation UI" is closed without requiring any code, it'd be useful for tracking.
If we defer hardening the UI to after the merge, the current patch seems fine to me.