You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@lucene.apache.org by "Ishan Chattopadhyaya (Jira)" <ji...@apache.org> on 2020/07/07 14:51:00 UTC
[jira] [Resolved] (SOLR-14634) Limit the HTTP security headers to
/solr end point
[ https://issues.apache.org/jira/browse/SOLR-14634?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Ishan Chattopadhyaya resolved SOLR-14634.
-----------------------------------------
Fix Version/s: 8.7
Resolution: Fixed
> Limit the HTTP security headers to /solr end point
> --------------------------------------------------
>
> Key: SOLR-14634
> URL: https://issues.apache.org/jira/browse/SOLR-14634
> Project: Solr
> Issue Type: Improvement
> Security Level: Public(Default Security Level. Issues are Public)
> Affects Versions: 8.6
> Reporter: Noble Paul
> Assignee: Noble Paul
> Priority: Blocker
> Fix For: 8.7
>
> Time Spent: 0.5h
> Remaining Estimate: 0h
>
> Ideally the CSP headers and other security headers are only required for web components such as html/js etc. There should be no need to send it out for a {{json}} or{{ javabin}} response. It is unnecessary data that is being sent.
> The problem is our web UI content paths are not easy to differentiate from other paths. But the v2 APIs do not need to pay that price and that can be easily achieved by adding a pattern to the rules
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@lucene.apache.org
For additional commands, e-mail: issues-help@lucene.apache.org