[jira] [Commented] (SOLR-13982) set security-related http response headers by default

Sat, 30 Nov 2019 07:59:07 -0800 


    [ 
https://issues.apache.org/jira/browse/SOLR-13982?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16985386#comment-16985386
 ] 

Ishan Chattopadhyaya commented on SOLR-13982:
---------------------------------------------

Looks good, Robert. Thanks!

bq. Disabling inline javascript is important, so that e.g. if there is a bug 
then injected code doesn't get executed. Unfortunately the current admin UI 
dangerously relies on eval, so for now unsafe-eval must be allowed so that 
everything still works. This should really be cleaned up, i have the feeling as 
long as it works this way, that you can still execute stuff.
How extensively do we use unsafe evaluations in the admin UI? Can we remove 
those functionality from the admin UI that use such evaluations?

> set security-related http response headers by default
> -----------------------------------------------------
>
>                 Key: SOLR-13982
>                 URL: https://issues.apache.org/jira/browse/SOLR-13982
>             Project: Solr
>          Issue Type: Improvement
>      Security Level: Public(Default Security Level. Issues are Public) 
>            Reporter: Robert Muir
>            Priority: Major
>         Attachments: SOLR-13982.patch
>
>
> Solr server should set some best practice http security response headers, to 
> e.g. protect users of the admin ui against XSS/injection/clickjacking/etc
> * Content-Security-Policy 
> * X-Content-Type-Options
> * X-XSS-Protection
> * X-Frame-Options
> Disabling inline javascript is important, so that e.g. if there is a bug then 
> injected code doesn't get executed. Unfortunately the current admin UI 
> dangerously relies on {{eval}}, so for now {{unsafe-eval}} must be allowed so 
> that everything still works. This should really be cleaned up, i have the 
> feeling as long as it works this way, that you can still execute stuff.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org
For additional commands, e-mail: issues-h...@lucene.apache.org

Reply via email to