Uploaded image for project: 'Apache Storm'
  1. Apache Storm
  2. STORM-1989

X-Frame-Options support for Storm UI

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Resolved
    • Minor
    • Resolution: Fixed
    • None
    • 0.10.2, 1.0.2, 1.1.0
    • storm-core

    Description

      Cross Frame Scripting (XFS) vulnerability enables an attacker to load malicious code inside a HTTP frame. See more details here.

      The fix for the vulnerability is trivial:
      The X-Frame-Options HTTP Header entry needs to be passed to the browser. Further details can be found here.

      Currently the X-Frame-Options field is not passed to the browser through Storm UI.

      The implementation for this fix would enable the Storm Administrator to set the X-Frame-Options field through a storm config parameter:
      ui.http.x-frame-options

      The parameter would have three possible values which would reflect X-Frame-Option's possible values.

      Attachments

        Issue Links

          links to

          Web Link GitHub Pull Request #1579

          Activity

            People

              tibor.kiss@gmail.com Tibor Kiss
              tibor.kiss@gmail.com Tibor Kiss
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: