You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@lucene.apache.org by "David Eric Pugh (Jira)" <ji...@apache.org> on 2021/02/18 20:23:00 UTC

[jira] [Assigned] (SOLR-15161) JSONResponseWriter that have text/plain mimetype causes havoc for some tools

     [ https://issues.apache.org/jira/browse/SOLR-15161?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

David Eric Pugh reassigned SOLR-15161:
--------------------------------------

    Assignee: David Eric Pugh

> JSONResponseWriter that have text/plain mimetype causes havoc for some tools
> ----------------------------------------------------------------------------
>
>                 Key: SOLR-15161
>                 URL: https://issues.apache.org/jira/browse/SOLR-15161
>             Project: Solr
>          Issue Type: Improvement
>      Security Level: Public(Default Security Level. Issues are Public) 
>          Components: JSON Request API
>    Affects Versions: 8.4
>            Reporter: David Eric Pugh
>            Assignee: David Eric Pugh
>            Priority: Minor
>
> Years ago, to make things "simpler" in some of our example configs, we did this:
>  
> {{ <queryResponseWriter name="json" class="solr.JSONResponseWriter">}}
> {{ <!-- For the purposes of the tutorial, JSON responses are written as}}
> {{ plain text so that they are easy to read in *any* browser.}}
> {{ If you expect a MIME type of "application/json" just remove this override.}}
> {{ -->}}
> {{ <str name="content-type">text/plain; charset=UTF-8</str>}}
> {{ </queryResponseWriter>}}
>  
> {{Today, this causes havoc when you have a JSONP XHR request combined with new browsers since they expect application/json.  The Quepid project definitely gets this as an error ;)}}
>  
> {{As of Solr 8.4.1, Solr ships with more restrictive security options by default. This, along with a early 2020 change by all the browser vendors has tightened up the rules for browser CORS interaction. The new default of {{nosniff}} for {{X-Content-Type-Options}} appears to be breaking this functionality, which interferes with outside websites accessing a Solr instance directly. The default configuration that ships with 8.4.1 now only allows such requests to originate from the Solr host itself.}}
>  
> {{I'd like to remove the text/plain from our example configsets so future users don't get bit by this.}}
>  
>  
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@lucene.apache.org
For additional commands, e-mail: issues-help@lucene.apache.org