[jira] [Comment Edited] (SOLR-13987) fix admin UI to not rely on javascript eval()

Fri, 06 Dec 2019 14:26:11 -0800 


    [ 
https://issues.apache.org/jira/browse/SOLR-13987?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16990195#comment-16990195
 ] 

Kevin Risden edited comment on SOLR-13987 at 12/6/19 10:25 PM:
---------------------------------------------------------------

I applied the above changes and then ran into these clicking around:

* Need to do something about this: 
https://github.com/apache/lucene-solr/blob/master/solr/webapp/web/js/angular/controllers/cloud.js#L671
* jquery.jstree.js has issues - might need an upgrade
** 'http://localhost:8983/solr/libs/themes/default/style.css' not found? 
** comes from jstree it looks like missing theme
* jquery-2.1.3.min.js has issues - might need an upgrade


Most of the messages are like:

{code:java}
Either the 'unsafe-inline' keyword, a hash 
('sha256-BxgBw5gY+4L6F0VnJCV1SraYT1sZl9r6drbrpfnH3IM='), or a nonce 
('nonce-...') is required to enable inline execution.
{code}

I'll keep poking at it. 


was (Author: risdenk):
I applied the above changes and then ran into these clicking around:

* Need to do something about this: 
https://github.com/apache/lucene-solr/blob/master/solr/webapp/web/js/angular/controllers/cloud.js#L671
* 'http://localhost:8983/solr/libs/themes/default/style.css' not found? what is 
this from?
* jquery.jstree.js has issues - might need an upgrade
* jquery-2.1.3.min.js has issues - might need an upgrade


Most of the messages are like:

{code:java}
Either the 'unsafe-inline' keyword, a hash 
('sha256-BxgBw5gY+4L6F0VnJCV1SraYT1sZl9r6drbrpfnH3IM='), or a nonce 
('nonce-...') is required to enable inline execution.
{code}

I'll keep poking at it. 

> fix admin UI to not rely on javascript eval()
> ---------------------------------------------
>
>                 Key: SOLR-13987
>                 URL: https://issues.apache.org/jira/browse/SOLR-13987
>             Project: Solr
>          Issue Type: Improvement
>      Security Level: Public(Default Security Level. Issues are Public) 
>            Reporter: Robert Muir
>            Priority: Major
>
> Followup from SOLR-13982: currently any CSP is weak because it must allow 
> this eval: means arbitrary javascript can still be executed. 
> Let's fix the admin UI to not require eval so it can be disabled by the 
> browser.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to