[SPARK-45233] HistoryServer should set headers Content-Security-Policy (CSP) - ASF JIRA

Log work

Agile Board

Rank to Top

Rank to Bottom

Attach files

Attach Screenshot

Bulk Copy Attachments

Bulk Move Attachments

Add vote

Voters

Watch issue

Watchers

Create sub-task

Convert to sub-task

Move

Link

Clone

Labels

Update Comment Author

Replace String in Comment

Update Comment Visibility

Delete Comments

Delete

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Open
Priority: Minor
Resolution: Unresolved
Affects Version/s: 3.5.0
Fix Version/s: None
Component/s: Web UI
Labels:
None

Description

Hi,

I provide spark history server UI to different users within my company.

The security team scan all URLs with this script : https://github.com/santoru/shcheck
On the SHS site everything went smoothly except for Content-Security-Policy (CSP).
I tried with the policy: "default-src self" but it is not sufficient to get things working.
There is a massive amount of nonce/sha-256 to be included to make things work.

Even if I may find some dirty hack on nginx side (there is a reverse proxy) to avoid using unsafe-inline, it will not be Ok since it will report the security issue from spark to nginx which is worse.

It may be more appropriate to tweak jetty configuration to have everything set in the origin server.