This is an automated email from the ASF dual-hosted git repository.
rmuir pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/lucene-solr.git
The following commit(s) were added to refs/heads/master by this push:
new c8c9c10 SOLR-13982: set security-related http response headers by default
c8c9c10 is described below
commit c8c9c1002353db3b8a4d89d21849bf67bc4f0931
Author: Robert Muir <rmuir@apache.org>
AuthorDate: Tue Dec 3 06:12:33 2019 -0500
SOLR-13982: set security-related http response headers by default
Unfortunately, as a first start this is very weak protection against
e.g. XSS. This is because some 'unsafe-xxx' rules must be present due
to the insecurity of angular JS: Until SOLR-13987 is fixed, XSS & co are
still easy.
---
solr/CHANGES.txt | 4 ++++
solr/server/etc/jetty.xml | 41 ++++++++++++++++++++++++++++++++++++++++-
2 files changed, 44 insertions(+), 1 deletion(-)
diff --git a/solr/CHANGES.txt b/solr/CHANGES.txt
index 96dfc4d..24d0c5d 100644
--- a/solr/CHANGES.txt
+++ b/solr/CHANGES.txt
@@ -110,6 +110,10 @@ Upgrade Notes
* SOLR-13817: Deprecate legacy SolrCache implementations. Users are encouraged to transition
their
configurations to use org.apache.solr.search.CaffeineCache instead. (ab)
+* SOLR-13982: Some security-related http headers such as Content-Security-Policy are now
set. If you have custom html served
+ up by Solr's http server that contains inline javascript, it will no longer execute in
modern browsers. You can fix your JS
+ code to not run inline anymore, or edit etc/jetty.xml and weaken the CSP, or remove/alter
the headers with a reverse proxy. (rmuir)
+
New Features
---------------------
* SOLR-13821: A Package store to store and load package artifacts (noble, Ishan Chattopadhyaya)
diff --git a/solr/server/etc/jetty.xml b/solr/server/etc/jetty.xml
index 1f6de77..0a0172a 100644
--- a/solr/server/etc/jetty.xml
+++ b/solr/server/etc/jetty.xml
@@ -82,13 +82,52 @@
</New>
<!-- =========================================================== -->
- <!-- RewriteHandle to redirect root to Solr -->
+ <!-- RewriteHandle to set headers, redirect root to Solr -->
<!-- =========================================================== -->
<New id="RewriteHandler" class="org.eclipse.jetty.rewrite.handler.RewriteHandler">
<Set name="rewriteRequestURI">true</Set>
<Set name="rewritePathInfo">false</Set>
<Set name="originalPathAttribute">requestedPath</Set>
+ <!-- security-related headers -->
+ <Call name="addRule">
+ <Arg>
+ <New class="org.eclipse.jetty.rewrite.handler.HeaderPatternRule">
+ <Set name="pattern">*</Set>
+ <Set name="name">Content-Security-Policy</Set>
+ <Set name="value">default-src 'none'; base-uri 'none'; form-action 'self';
frame-ancestors 'none'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-eval';
img-src 'self'; media-src 'self'; font-src 'self'; connect-src 'self';</Set>
+ </New>
+ </Arg>
+ </Call>
+ <Call name="addRule">
+ <Arg>
+ <New class="org.eclipse.jetty.rewrite.handler.HeaderPatternRule">
+ <Set name="pattern">*</Set>
+ <Set name="name">X-Content-Type-Options</Set>
+ <Set name="value">nosniff</Set>
+ </New>
+ </Arg>
+ </Call>
+ <Call name="addRule">
+ <Arg>
+ <New class="org.eclipse.jetty.rewrite.handler.HeaderPatternRule">
+ <Set name="pattern">*</Set>
+ <Set name="name">X-Frame-Options</Set>
+ <Set name="value">SAMEORIGIN</Set>
+ </New>
+ </Arg>
+ </Call>
+ <Call name="addRule">
+ <Arg>
+ <New class="org.eclipse.jetty.rewrite.handler.HeaderPatternRule">
+ <Set name="pattern">*</Set>
+ <Set name="name">X-XSS-Protection</Set>
+ <Set name="value">1; mode=block</Set>
+ </New>
+ </Arg>
+ </Call>
+
+ <!-- redirect root to solr -->
<Call name="addRule">
<Arg>
<New class="org.eclipse.jetty.rewrite.handler.RedirectRegexRule">
|