[
https://issues.apache.org/jira/browse/SOLR-7966?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14711379#comment-14711379
]
Uwe Schindler commented on SOLR-7966:
-------------------------------------
The embedded Jetty in the test framework does not see the web.xml or the webapp
at all (there is no webapplication configured). Its configured hardcoded with a
random URI prefix, but does not provide the LoadAdminUIServlet at all.
Currently you cant test this easily with unit tests. You would need to setup UI
testing, but there is another issue about that.
You can quickly mock a test without jetty like done in SolrRequestParserTest.
It uses Mock ServletRequest/Response obects and just validates if the called
servlet did everything right.
> Solr Admin pages should set X-Frame-Options to DENY
> ---------------------------------------------------
>
> Key: SOLR-7966
> URL: https://issues.apache.org/jira/browse/SOLR-7966
> Project: Solr
> Issue Type: Bug
> Reporter: Yonik Seeley
> Priority: Trivial
> Attachments: SOLR-7966.patch
>
>
> Security scan software reported that Solr's admin interface is vulnerable to
> clickjacking, which is fixable with the X-Frame-Options HTTP header.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
