Google Git
Sign in
apache / kudu / 43ee785b2d793fe9abaae91ad152c50813e9aa59
commit43ee785b2d793fe9abaae91ad152c50813e9aa59[log] [tgz]
authorAttila Bukor <abukor@apache.org>Wed Mar 02 18:31:22 2022 +0100
committerAlexey Serbin <alexey@apache.org>Thu Jul 14 22:18:30 2022 +0000
tree789a44c91d093880c763c67477c75fbcdac068a7
parente8ce3a9bff9d3a0c00af7e71592e552c33ce5b24 [diff]
[www] Add CSP header to web UI

CSP (Content Security Policy) headers provide a way to tell the browser
where assets can be loaded from to prevent XSS attacks. Kudu's web UI is
read-only, at least for now, so it's not susceptible for XSS attacks,
but some security scanners still flag it as vulnerable due to not having
this header.

This patch adds a CSP header that allows loading assets on the same
host, and some inline styles and images in jQuery. It also removes all
inline style definitions from first-party files and moves them to
kudu.css.

There's no good way to write a unit test for this, as it requires a
GUI browser (curl doesn't load external resources and doesn't use
JavaScript), but I tested it manually both through HTTP and HTTPS and
confirmed there are no related errors in the JS console.

Change-Id: I411d8f4ca079bfd5584f563aeeaa867833eb1106
Reviewed-on: http://gerrit.cloudera.org:8080/18285
Tested-by: Kudu Jenkins
Reviewed-by: Alexey Serbin <alexey@apache.org>
4 files changed
tree: 789a44c91d093880c763c67477c75fbcdac068a7
  1. build-support/
  2. cmake_modules/
  3. docker/
  4. docs/
  5. examples/
  6. java/
  7. kubernetes/
  8. python/
  9. src/
  10. thirdparty/
  11. www/
  12. .dockerignore
  13. .gitignore
  14. .ycm_extra_conf.py
  15. CMakeLists.txt
  16. CONTRIBUTING.adoc
  17. LICENSE.txt
  18. NOTICE.txt
  19. README.adoc
  20. RELEASING.adoc
  21. version.txt