[jira] [Comment Edited] (SOLR-13987) fix admin UI to not rely on javascript eval()

Fri, 06 Dec 2019 18:44:35 -0800 


    [ 
https://issues.apache.org/jira/browse/SOLR-13987?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16990285#comment-16990285
 ] 

Kevin Risden edited comment on SOLR-13987 at 12/7/19 2:43 AM:
--------------------------------------------------------------

Patch:   [^SOLR-13987.patch] 
PR: https://github.com/apache/lucene-solr/pull/1066/

I think this is the minimal set of changes required. I didn't need to upgrade 
jstree or jquery. This removes the 'unsafe-eval'.

I left 'style-src 'self' 'unsafe-inline';' after I couldn't figure out how to 
easily fix the dynamic styles between angular-chosen, jstree, and jquery. 

I tested this on Chrome on a Mac clicking around and creating collections. I 
think I checked >90% of the UI if not all of it. Would appreciate a second set 
of eyes if anyone can try it out.


was (Author: risdenk):
Patch:  [^SOLR-13987.patch] 
PR: https://github.com/apache/lucene-solr/pull/1066/

I think this is the minimal set of changes required. I didn't need to upgrade 
jstree or jquery. This removes the 'unsafe-eval'.

I left 'style-src 'self' 'unsafe-inline';' after I couldn't figure out how to 
easily fix the dynamic styles between angular-chosen, jstree, and jquery. 

I tested this on Chrome on a Mac clicking around and creating collections. I 
think I checked >90% of the UI if not all of it. Would appreciate a second set 
of eyes if anyone can try it out.

> fix admin UI to not rely on javascript eval()
> ---------------------------------------------
>
>                 Key: SOLR-13987
>                 URL: https://issues.apache.org/jira/browse/SOLR-13987
>             Project: Solr
>          Issue Type: Improvement
>      Security Level: Public(Default Security Level. Issues are Public) 
>          Components: Admin UI
>            Reporter: Robert Muir
>            Assignee: Kevin Risden
>            Priority: Major
>         Attachments: SOLR-13987.patch
>
>          Time Spent: 10m
>  Remaining Estimate: 0h
>
> Followup from SOLR-13982: currently any CSP is weak because it must allow 
> this eval: means arbitrary javascript can still be executed. 
> Let's fix the admin UI to not require eval so it can be disabled by the 
> browser.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to