You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@lucene.apache.org by no...@apache.org on 2020/07/07 12:33:29 UTC

[lucene-solr] 01/01: SOLR-14634: Limit the HTTP security headers to "/solr" end point

This is an automated email from the ASF dual-hosted git repository.

noble pushed a commit to branch jira/solr14634
in repository https://gitbox.apache.org/repos/asf/lucene-solr.git

commit af78d680e6604a586e782c3dbb1a85368b80e7f1
Author: noblepaul <no...@gmail.com>
AuthorDate: Tue Jul 7 22:32:39 2020 +1000

    SOLR-14634: Limit the HTTP security headers to "/solr" end point
---
 solr/server/etc/jetty.xml | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/solr/server/etc/jetty.xml b/solr/server/etc/jetty.xml
index ecd4f22..e2f4ab0 100644
--- a/solr/server/etc/jetty.xml
+++ b/solr/server/etc/jetty.xml
@@ -93,7 +93,7 @@
       <Call name="addRule">
         <Arg>
           <New class="org.eclipse.jetty.rewrite.handler.HeaderPatternRule">
-            <Set name="pattern">*</Set>
+            <Set name="pattern">/solr/*</Set>
             <Set name="name">Content-Security-Policy</Set>
             <Set name="value">default-src 'none'; base-uri 'none'; connect-src 'self'; form-action 'self'; font-src 'self'; frame-ancestors 'none'; img-src 'self'; media-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self'; worker-src 'self';</Set>
           </New>
@@ -102,7 +102,7 @@
       <Call name="addRule">
         <Arg>
           <New class="org.eclipse.jetty.rewrite.handler.HeaderPatternRule">
-            <Set name="pattern">*</Set>
+            <Set name="pattern">/solr/*</Set>
             <Set name="name">X-Content-Type-Options</Set>
             <Set name="value">nosniff</Set>
           </New>
@@ -111,7 +111,7 @@
       <Call name="addRule">
         <Arg>
           <New class="org.eclipse.jetty.rewrite.handler.HeaderPatternRule">
-            <Set name="pattern">*</Set>
+            <Set name="pattern">/solr/*</Set>
             <Set name="name">X-Frame-Options</Set>
             <Set name="value">SAMEORIGIN</Set>
           </New>
@@ -120,7 +120,7 @@
       <Call name="addRule">
         <Arg>
           <New class="org.eclipse.jetty.rewrite.handler.HeaderPatternRule">
-            <Set name="pattern">*</Set>
+            <Set name="pattern">/solr/*</Set>
             <Set name="name">X-XSS-Protection</Set>
             <Set name="value">1; mode=block</Set>
           </New>