[HIVE-17679] http-generic-click-jacking for WebHcat server - ASF JIRA

Log work

Agile Board

Rank to Top

Rank to Bottom

Bulk Copy Attachments

Bulk Move Attachments

Voters

Watch issue

Watchers

Create sub-task

Convert to sub-task

Move

Link

Clone

Labels

Update Comment Author

Replace String in Comment

Update Comment Visibility

Delete Comments

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 2.1.1
Fix Version/s: 3.0.0
Component/s: Security, WebHCat
Labels:
None

Release Note:

Hide
Security fix: Adds protection from clickjacking using X-Frame-Options header.
This will prevent use of WebHCat UI in frames. A new configuration 'templeton.frame.options.filter' is added to allow configuring such option.

Show
Security fix: Adds protection from clickjacking using X-Frame-Options header. This will prevent use of WebHCat UI in frames. A new configuration 'templeton.frame.options.filter' is added to allow configuring such option.

Description

The web UIs do not include the "X-Frame-Options" header to prevent the pages from being framed from another site.
Reference:
https://www.owasp.org/index.php/Clickjacking
https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet
https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options

Attachments

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

HIVE-17679.1.patch
03/Oct/17 16:47
4 kB
Aihua Xu
HIVE-17679.2.patch
03/Oct/17 18:24
4 kB
Aihua Xu

Issue Links

Add Link

is related to

HIVE-13853 Add X-XSRF-Header filter to HS2 HTTP mode and WebHCat

Closed

Delete this link

Activity

Comment

This comment will be Viewable by All Users Viewable by All Users

Cancel

People

Assignee:: Aihua Xu Assign to me

Reporter:: Aihua Xu

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 03/Oct/17 16:41

Updated:: 22/May/18 23:15

Resolved:: 05/Oct/17 22:07

Agile

Slack

Issue deployment