[STORM-1989] X-Frame-Options support for Storm UI - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Resolved
Priority: Minor
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 0.10.2, 1.0.2, 1.1.0
Component/s: storm-core
Labels:
- security

Description

Cross Frame Scripting (XFS) vulnerability enables an attacker to load malicious code inside a HTTP frame. See more details here.

The fix for the vulnerability is trivial:
The X-Frame-Options HTTP Header entry needs to be passed to the browser. Further details can be found here.

Currently the X-Frame-Options field is not passed to the browser through Storm UI.

The implementation for this fix would enable the Storm Administrator to set the X-Frame-Options field through a storm config parameter:
ui.http.x-frame-options

The parameter would have three possible values which would reflect X-Frame-Option's possible values.

Attachments

Issue Links

links to

GitHub Pull Request #1579

Activity

People

Assignee:: Tibor Kiss

Reporter:: Tibor Kiss

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 20/Jul/16 12:57

Updated:: 27/Jul/16 07:31

Resolved:: 22/Jul/16 21:05