From 70da85b890a1d25db43c84ff82eb4a5de6d0dd73 Mon Sep 17 00:00:00 2001
From: Sean Owen <sowen@cloudera.com>
Date: Mon, 14 Sep 2015 13:47:59 +0100
Subject: [PATCH] Set X-Frame-Options: SAMEORIGIN to protect against
 frame-related vulnerability

---
 core/src/main/scala/org/apache/spark/ui/JettyUtils.scala | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/core/src/main/scala/org/apache/spark/ui/JettyUtils.scala b/core/src/main/scala/org/apache/spark/ui/JettyUtils.scala
index 779c0ba083596..3c67148848c5b 100644
--- a/core/src/main/scala/org/apache/spark/ui/JettyUtils.scala
+++ b/core/src/main/scala/org/apache/spark/ui/JettyUtils.scala
@@ -68,6 +68,8 @@ private[spark] object JettyUtils extends Logging {
             response.setStatus(HttpServletResponse.SC_OK)
             val result = servletParams.responder(request)
             response.setHeader("Cache-Control", "no-cache, no-store, must-revalidate")
+            // SPARK-10589 avoid frame-related click-jacking vulnerability
+            response.setHeader("X-Frame-Options", "SAMEORIGIN")
             // scalastyle:off println
             response.getWriter.println(servletParams.extractFn(result))
             // scalastyle:on println