Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Always set content-type & nosniff #72535

Merged
merged 1 commit into from
Sep 28, 2019
Merged

Always set content-type & nosniff #72535

merged 1 commit into from
Sep 28, 2019

Conversation

tallclair
Copy link
Member

What type of PR is this?
/kind bug

What this PR does / why we need it:

HTTP responses should always set a content-type header, and nosniff option to prevent certain types of XSS or mime attacks.

Follow-up to #72520 to fix a few more cases.

Does this PR introduce a user-facing change?:

NONE

/assign @dims

@k8s-ci-robot k8s-ci-robot added release-note-none Denotes a PR that doesn't merit a release note. kind/bug Categorizes issue or PR as related to a bug. size/S Denotes a PR that changes 10-29 lines, ignoring generated files. needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. area/apiserver sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. sig/apps Categorizes an issue or PR as relevant to SIG Apps. sig/network Categorizes an issue or PR as relevant to SIG Network. sig/scheduling Categorizes an issue or PR as relevant to SIG Scheduling. and removed needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. labels Jan 3, 2019
@dims
Copy link
Member

dims commented Jan 3, 2019

/test pull-kubernetes-e2e-kops-aws

@dims
Copy link
Member

dims commented Jan 3, 2019

/assign @lavalamp @liggitt
/lgtm

/test pull-kubernetes-e2e-kops-aws

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jan 3, 2019
@liggitt
Copy link
Member

liggitt commented Jan 3, 2019

one question on the dot graph, @deads2k might know, lgtm otherwise

@fedebongio
Copy link
Contributor

/cc @logicalhan

This was referenced Jan 3, 2019
Merged
Merged
@logicalhan
Copy link
Member

FYI, we can hopefully use this change here (#72589).

@tallclair
Copy link
Member Author

ping @deads2k for the dot graph question

Can we get this merged?

@tallclair
Copy link
Member Author

Er, sorry, I realized this needs to be sync'd up with #72589

@tallclair
Copy link
Member Author

Actually, on close inspection, does reusing that make sense in all these cases? Is it ok to depend on k8s.io/apiserver from the scheduler, kube-proxy, and controller manager?

@k8s-ci-robot k8s-ci-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Mar 31, 2019
@k8s-ci-robot k8s-ci-robot removed lgtm "Looks good to me", indicates that a PR is ready to be merged. needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. labels Apr 4, 2019
@dims
Copy link
Member

dims commented Apr 16, 2019

/unassign

@liggitt
Copy link
Member

liggitt commented Jul 9, 2019

one nit, then lgtm

@liqlin2015
Copy link

@tallclair Are you still working on this PR?
How can we make sure x-content-type-options: nosniff header is always set in the http response header in any of kube-apiserver API call? I did not see previous content type filter was referred by anyone. Should we put the content type filter in the default handler of chain of kube-apiserver?

@tallclair
Copy link
Member Author

Yeah, sorry. Resolved the last comment.

How can we make sure x-content-type-options: nosniff header is always set in the http response header in any of kube-apiserver API call?

Good question. I can't think of a good universal approach. Suggestions welcome.

@liggitt
Copy link
Member

liggitt commented Sep 24, 2019

/priority backlog
/lgtm
/approve

@k8s-ci-robot k8s-ci-robot added lgtm "Looks good to me", indicates that a PR is ready to be merged. priority/backlog Higher priority than priority/awaiting-more-evidence. and removed needs-priority Indicates a PR lacks a `priority/foo` label and requires one. labels Sep 24, 2019
@tallclair
Copy link
Member Author

Don't know why @liggitt 's /approve wasn't registered... adding the label manually.

@tallclair tallclair added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Sep 27, 2019
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: liggitt, tallclair

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot merged commit 74d2822 into kubernetes:master Sep 28, 2019
@k8s-ci-robot k8s-ci-robot added this to the v1.17 milestone Sep 28, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@liggitt liggitt liggitt left review comments

@deads2k deads2k Awaiting requested review from deads2k

@k82cn k82cn Awaiting requested review from k82cn

@logicalhan logicalhan Awaiting requested review from logicalhan

Assignees

@lavalamp lavalamp

@liggitt liggitt

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/apiserver cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/bug Categorizes issue or PR as related to a bug. lgtm "Looks good to me", indicates that a PR is ready to be merged. priority/backlog Higher priority than priority/awaiting-more-evidence. release-note-none Denotes a PR that doesn't merit a release note. sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. sig/apps Categorizes an issue or PR as relevant to SIG Apps. sig/network Categorizes an issue or PR as relevant to SIG Network. sig/scheduling Categorizes an issue or PR as relevant to SIG Scheduling. size/S Denotes a PR that changes 10-29 lines, ignoring generated files.
Projects
None yet
Milestone
v1.17
Development

Successfully merging this pull request may close these issues.

None yet
8 participants
@tallclair @dims @liggitt @fedebongio @logicalhan @liqlin2015 @k8s-ci-robot @lavalamp