[jira] [Comment Edited] (SOLR-13987) fix admin UI to not rely on javascript eval()

Wed, 04 Dec 2019 09:47:49 -0800 


    [ 
https://issues.apache.org/jira/browse/SOLR-13987?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16988042#comment-16988042
 ] 

Jason Gerlowski edited comment on SOLR-13987 at 12/4/19 5:46 PM:
-----------------------------------------------------------------

Personally, I like the idea of having the Admin UI be disable-able via a flag.  
It's a quick change (relative to other proposed options), doesn't require 
scarce Javascript/angular expertise, and users who have followed the 
community's advice and kept their Solr behind a firewall can use the same old 
UI without security concerns.

Does a headless mode obviate the need for the {{eval}} work?  (Should we rename 
the issue if there's consensus on pursuing headless mode instead?)


was (Author: gerlowskija):
Personally, I like the idea of having the Admin UI be disable-able via a flag.  
It's a quick change (relative to other proposed options), doesn't require 
scarce Javascript/angular expertise, and users who have followed the 
community's advice and kept their Solr behind a firewall can use the same old 
UI without security concerns.

Does a headless mode obviate the need for the {{eval}} work?  The answer 
probably depends on what use-case we're trying to target here, as Joel 
mentioned above.  Is the concern defending people who accidentally leave Solr 
open?  Or are we trying to support users who intentionally are deploying Solr 
world-open, and want to use all the bells and whistles (Admin UI, etc.)?



> fix admin UI to not rely on javascript eval()
> ---------------------------------------------
>
>                 Key: SOLR-13987
>                 URL: https://issues.apache.org/jira/browse/SOLR-13987
>             Project: Solr
>          Issue Type: Improvement
>      Security Level: Public(Default Security Level. Issues are Public) 
>            Reporter: Robert Muir
>            Priority: Major
>
> Followup from SOLR-13982: currently any CSP is weak because it must allow 
> this eval: means arbitrary javascript can still be executed. 
> Let's fix the admin UI to not require eval so it can be disabled by the 
> browser.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to