Uploaded image for project: 'IMPALA'
  1. IMPALA
  2. IMPALA-10201

WebUI CSP best practice

    XMLWordPrintableJSON

    Details

    • Type: Improvement
    • Status: Open
    • Priority: Minor
    • Resolution: Unresolved
    • Affects Version/s: Impala 4.0.0
    • Fix Version/s: None
    • Component/s: Security
    • Labels:
    • Epic Color:
      ghx-label-14

      Description

      The Debug WebUI currently supports only the X-Frame-Options header, which is necessary due to backward compatibility, however in the future it will be replaced by the Content Security Policy’s frame-ancestors directive:

      Content Security Policy’s frame-ancestors directive obsoletes the X-Frame-Options header. If a resource has both policies, the frame-ancestors policy SHOULD be enforced and the X-Frame-Options policy SHOULD be ignored [w3.org].

      As described in Section 2.3.2.2, not all browsers implement X-Frame-Options in exactly the same way, which can lead to unintended results. And, given that the "X-" construction is deprecated [RFC6648], the X-Frame-Options header field will be replaced in the future by the Frame-Options directive in the Content Security Policy (CSP) version 1.1 [CSP-1-1]. [RFC 7034]

      CSP's frame-ancestor header should be implemented to adhere the current security best practices and depending on a deprecated feature in the future.

        Attachments

          Activity

            People

            • Assignee:
              tmate Tamas Mate
              Reporter:
              tmate Tamas Mate
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated: