Details
-
Improvement
-
Status: Open
-
Minor
-
Resolution: Unresolved
-
3.5.0
-
None
-
None
Description
Hi,
I provide spark history server UI to different users within my company.
The security team scan all URLs with this script : https://github.com/santoru/shcheck
On the SHS site everything went smoothly except for Content-Security-Policy (CSP).
I tried with the policy: "default-src self" but it is not sufficient to get things working.
There is a massive amount of nonce/sha-256 to be included to make things work.
Even if I may find some dirty hack on nginx side (there is a reverse proxy) to avoid using unsafe-inline, it will not be Ok since it will report the security issue from spark to nginx which is worse.
It may be more appropriate to tweak jetty configuration to have everything set in the origin server.