Skip to content

Set X-Frame-Options header to DENY unless X_FRAME_ENABLED is set to true#19491

Merged
potiuk merged 1 commit into
apache:mainfrom
subkanthi:17255_x_frame_options_enabled_fix
Jan 22, 2022
Merged

Set X-Frame-Options header to DENY unless X_FRAME_ENABLED is set to true#19491
potiuk merged 1 commit into
apache:mainfrom
subkanthi:17255_x_frame_options_enabled_fix

Conversation

@subkanthi

@subkanthi subkanthi commented Nov 9, 2021

Copy link
Copy Markdown
Contributor

Set X-Frame-Options header to DENY unless X_FRAME_ENABLED is set to true.

closes: #17255


^ Add meaningful description above

Read the Pull Request Guidelines for more information.
In case of fundamental code change, Airflow Improvement Proposal (AIP) is needed.
In case of a new dependency, check compliance with the ASF 3rd Party License Policy.
In case of backwards incompatible changes please leave a note in UPDATING.md.

@boring-cyborg boring-cyborg Bot added the area:webserver Webserver related Issues label Nov 9, 2021
@bbovenzi bbovenzi requested a review from uranusjr November 9, 2021 15:46
@uranusjr uranusjr changed the title Set X-Frame-Options header to DENY only if X_FRAME_ENABLED is set to … Set X-Frame-Options header to DENY unless X_FRAME_ENABLED is set to true Nov 9, 2021
@uranusjr

uranusjr commented Nov 9, 2021

Copy link
Copy Markdown
Member

I think the description is the other way around? The request (and the patch!) is to set X-Frame-Options to deny unless X_FRAME_ENABLED is True, which makes sense because deny disables embedding.

@github-actions

Copy link
Copy Markdown
Contributor

This pull request has been automatically marked as stale because it has not had recent activity. It will be closed in 5 days if no further activity occurs. Thank you for your contributions.

@github-actions github-actions Bot added the stale Stale PRs per the .github/workflows/stale.yml policy file label Jan 14, 2022
@uranusjr uranusjr removed the stale Stale PRs per the .github/workflows/stale.yml policy file label Jan 14, 2022
@github-actions github-actions Bot added the okay to merge It's ok to merge this PR as it does not require more tests label Jan 14, 2022
@github-actions

Copy link
Copy Markdown
Contributor

The PR is likely OK to be merged with just subset of tests for default Python and Database versions without running the full matrix of tests, because it does not modify the core of Airflow. If the committers decide that the full tests matrix is needed, they will add the label 'full tests needed'. Then you should rebase to the latest main or amend the last commit of the PR, and push it with --force-with-lease.

@potiuk potiuk merged commit 084079f into apache:main Jan 22, 2022
@jedcunningham jedcunningham added the type:bug-fix Changelog: Bug Fixes label Mar 1, 2022
@jedcunningham jedcunningham added this to the Airflow 2.2.5 milestone Mar 1, 2022
ephraimbuddy pushed a commit that referenced this pull request Mar 16, 2022
ephraimbuddy pushed a commit that referenced this pull request Mar 20, 2022
ephraimbuddy pushed a commit that referenced this pull request Mar 22, 2022
ephraimbuddy pushed a commit that referenced this pull request Mar 22, 2022
ephraimbuddy pushed a commit that referenced this pull request Mar 22, 2022
ephraimbuddy pushed a commit that referenced this pull request Mar 22, 2022
ephraimbuddy pushed a commit that referenced this pull request Mar 24, 2022
ephraimbuddy pushed a commit that referenced this pull request Mar 26, 2022
@planoe-cloudera

planoe-cloudera commented Apr 18, 2022

Copy link
Copy Markdown

Sorry for being late on this PR, but doesn't it prevent X-FRAME from being disabled ?

Line 34 will check if it is disabled and if so it will immediately exit without giving a chance to set the header to deny

@potiuk

potiuk commented Apr 25, 2022

Copy link
Copy Markdown
Member

Sorry for being late on this PR, but doesn't it prevent X-FRAME from being disabled ?

Line 34 will check if it is disabled and if so it will immediately exit without giving a chance to set the header to deny

Yep. I think you are right.

potiuk added a commit to potiuk/airflow that referenced this pull request Apr 25, 2022
The apache#19491 incorrectly changed condition on assigning the
X-Frame-Options header DENY. It actually was not possible to set
the DENY header.
potiuk added a commit that referenced this pull request Apr 25, 2022
The #19491 incorrectly changed condition on assigning the
X-Frame-Options header DENY. It actually was not possible to set
the DENY header.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

area:webserver Webserver related Issues okay to merge It's ok to merge this PR as it does not require more tests type:bug-fix Changelog: Bug Fixes

Projects

None yet

Development

Successfully merging this pull request may close these issues.

x_frame_enabled logic broken in Airflow 2

5 participants