lucene-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Alexandre Rafalovitch (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (SOLR-12292) Make it easier to configure Solr with CORS
Date Fri, 04 May 2018 21:27:00 GMT

    [ https://issues.apache.org/jira/browse/SOLR-12292?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16464413#comment-16464413
] 

Alexandre Rafalovitch commented on SOLR-12292:
----------------------------------------------

JSONP is read-only though. So, it exposes less than CORS.

IF CORS is open than any webpage can hit the localhost and possibly inject stuff, creating
a local exploit. 

This _may_ be possible with our implementation of JSONP as well, but the risk surface is much
smaller.

> Make it easier to configure Solr with CORS
> ------------------------------------------
>
>                 Key: SOLR-12292
>                 URL: https://issues.apache.org/jira/browse/SOLR-12292
>             Project: Solr
>          Issue Type: Improvement
>      Security Level: Public(Default Security Level. Issues are Public) 
>          Components: Server
>            Reporter: Jan Høydahl
>            Priority: Major
>
> While working on SOLR-8207 I wanted to collect info from other SolrCloud nodes from the
AdminUI. However this is blocked by [CORS|https://en.wikipedia.org/wiki/Cross-origin_resource_sharing] policy.
In that Jira I instead did the fan-out on the Solr server side for the two handler I needed.
> It would be nice if all nodes in a SolrCloud cluster could automatically accept any other
node as a legal origin, and make it easy for users to add other origins by config.
> If we use the [Jetty CORS filter|http://www.eclipse.org/jetty/documentation/9.4.9.v20180320/cross-origin-filter.html] in
web.xml, perhaps we could parse a env.var from solr.in.xx and inject into the {{allowedOrigins}}
property of that filter? There is also SOLR-6059 which tries to implement CORS inside of Solr
handlers and not in Jetty. Don't know pros/cons of those.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org
For additional commands, e-mail: dev-help@lucene.apache.org


Mime
View raw message