Details
-
Bug
-
Status: Resolved
-
Major
-
Resolution: Fixed
-
3.4.0
-
Reviewed
Description
The /logs endpoint is missing the X-FRAME-OPTIONS in the response header, even though YARN is configured to do include it. This makes it vulnerable to clickjacking.
Request URL: http://{{rm_host}}:8088/logs/
Request Method: GET
Status Code: 200 OK
Remote Address: [::1]:8088
Referrer Policy: strict-origin-when-cross-origin
HTTP/1.1 200 OK
Date: Fri, 25 Jun 2021 17:38:38 GMT
Cache-Control: no-cache
Expires: Fri, 25 Jun 2021 17:38:38 GMT
Date: Fri, 25 Jun 2021 17:38:38 GMT
Pragma: no-cache
Content-Type: text/html;charset=utf-8
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Content-Length: 469
Attachments
Attachments
Issue Links
- relates to
-
HADOOP-12964 Http server vulnerable to clickjacking
- Resolved
- links to