Uploaded image for project: 'Apache Storm'
  1. Apache Storm
  2. STORM-1989

X-Frame-Options support for Storm UI

Attach filesAttach ScreenshotVotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Resolved
    • Minor
    • Resolution: Fixed
    • None
    • 0.10.2, 1.0.2, 1.1.0
    • storm-core

    Description

      Cross Frame Scripting (XFS) vulnerability enables an attacker to load malicious code inside a HTTP frame. See more details here.

      The fix for the vulnerability is trivial:
      The X-Frame-Options HTTP Header entry needs to be passed to the browser. Further details can be found here.

      Currently the X-Frame-Options field is not passed to the browser through Storm UI.

      The implementation for this fix would enable the Storm Administrator to set the X-Frame-Options field through a storm config parameter:
      ui.http.x-frame-options

      The parameter would have three possible values which would reflect X-Frame-Option's possible values.

      Attachments

        Activity

          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            tibor.kiss@gmail.com Tibor Kiss
            tibor.kiss@gmail.com Tibor Kiss
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Slack

                Issue deployment