[
https://issues.apache.org/jira/browse/SOLR-12292?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16464413#comment-16464413
]
Alexandre Rafalovitch commented on SOLR-12292:
----------------------------------------------
JSONP is read-only though. So, it exposes less than CORS.
IF CORS is open than any webpage can hit the localhost and possibly inject
stuff, creating a local exploit.
This _may_ be possible with our implementation of JSONP as well, but the risk
surface is much smaller.
> Make it easier to configure Solr with CORS
> ------------------------------------------
>
> Key: SOLR-12292
> URL: https://issues.apache.org/jira/browse/SOLR-12292
> Project: Solr
> Issue Type: Improvement
> Security Level: Public(Default Security Level. Issues are Public)
> Components: Server
> Reporter: Jan Høydahl
> Priority: Major
>
> While working on SOLR-8207 I wanted to collect info from other SolrCloud
> nodes from the AdminUI. However this is blocked by
> [CORS|https://en.wikipedia.org/wiki/Cross-origin_resource_sharing] policy. In
> that Jira I instead did the fan-out on the Solr server side for the two
> handler I needed.
> It would be nice if all nodes in a SolrCloud cluster could automatically
> accept any other node as a legal origin, and make it easy for users to add
> other origins by config.
> If we use the [Jetty CORS
> filter|http://www.eclipse.org/jetty/documentation/9.4.9.v20180320/cross-origin-filter.html]
> in web.xml, perhaps we could parse a env.var from solr.in.xx and inject into
> the {{allowedOrigins}} property of that filter? There is also SOLR-6059 which
> tries to implement CORS inside of Solr handlers and not in Jetty. Don't know
> pros/cons of those.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
