Uploaded image for project: 'IMPALA'
  1. IMPALA
  2. IMPALA-10201

WebUI CSP best practice

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Closed
    • Minor
    • Resolution: Fixed
    • Impala 4.0.0
    • None
    • Security
    • ghx-label-14

    Description

      The Debug WebUI currently supports only the X-Frame-Options header, which is necessary due to backward compatibility, however in the future it will be replaced by the Content Security Policy’s frame-ancestors directive:

      Content Security Policy’s frame-ancestors directive obsoletes the X-Frame-Options header. If a resource has both policies, the frame-ancestors policy SHOULD be enforced and the X-Frame-Options policy SHOULD be ignored [w3.org].

      As described in Section 2.3.2.2, not all browsers implement X-Frame-Options in exactly the same way, which can lead to unintended results. And, given that the "X-" construction is deprecated [RFC6648], the X-Frame-Options header field will be replaced in the future by the Frame-Options directive in the Content Security Policy (CSP) version 1.1 [CSP-1-1]. [RFC 7034]

      CSP's frame-ancestor header should be implemented to adhere the current security best practices and depending on a deprecated feature in the future.

      Attachments

        Issue Links

          duplicates

          Bug - A problem which impairs or prevents the functions of the product. IMPALA-11078 Webui should return a Content-Security-Policy header

          • Major - Major loss of function.
          • Resolved

          Activity

            People

              tmate Tamas Mate
              tmate Tamas Mate
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: