You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@solr.apache.org by "Alexandre Rafalovitch (Jira)" <ji...@apache.org> on 2021/03/18 19:13:00 UTC

[jira] [Commented] (SOLR-15161) JSONResponseWriter that have text/plain mimetype causes havoc for some tools

    [ https://issues.apache.org/jira/browse/SOLR-15161?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17304370#comment-17304370 ] 

Alexandre Rafalovitch commented on SOLR-15161:
----------------------------------------------

I think removing text/plain is only a partial solution. Especially for Quepid.

Because we need to take into account json.wrf case, where JSONResponseWriter currently seems to return the same headers whether the flag is specified or not.

It should be returning *application/json* without a flag and *application/javascript* with the flag.

> JSONResponseWriter that have text/plain mimetype causes havoc for some tools
> ----------------------------------------------------------------------------
>
>                 Key: SOLR-15161
>                 URL: https://issues.apache.org/jira/browse/SOLR-15161
>             Project: Solr
>          Issue Type: Improvement
>          Components: JSON Request API
>    Affects Versions: 8.4
>            Reporter: David Eric Pugh
>            Assignee: David Eric Pugh
>            Priority: Minor
>             Fix For: main (9.0), 8.9
>
>          Time Spent: 50m
>  Remaining Estimate: 0h
>
> Years ago, to make things "simpler" in some of our example configs, we did this:
>  
> {noformat}
> <queryResponseWriter name="json" class="solr.JSONResponseWriter">}}
>    <!-- For the purposes of the tutorial, JSON responses are written as
>    plain text so that they are easy to read in any browser.
>    If you expect a MIME type of "application/json" just remove this override.
>    -->
>    <str name="content-type">text/plain; charset=UTF-8</str>
>  </queryResponseWriter>{noformat}
>  
> Today, this causes havoc when you have a JSONP XHR request combined with new browsers since they expect application/json.  The Quepid project definitely gets this as an error  !/jira/images/icons/emoticons/wink.png|width=16,height=16,align=absmiddle!
>  
> As of Solr 8.4.1, Solr ships with more restrictive security options by default. This, along with a early 2020 change by all the browser vendors has tightened up the rules for browser CORS interaction. The new default of \{{nosniff for X-Content-Type-Options appears to be breaking this functionality, which interferes with outside websites accessing a Solr instance directly. The default configuration that ships with 8.4.1 now only allows such requests to originate from the Solr host itself.}}
>  
> I'd like to remove the text/plain from our example configsets so future users don't get bit by this.
>  
>  
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)