lucene-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Joel Bernstein (Jira)" <j...@apache.org>
Subject [jira] [Commented] (SOLR-13987) fix admin UI to not rely on javascript eval()
Date Wed, 04 Dec 2019 19:38:00 GMT

    [ https://issues.apache.org/jira/browse/SOLR-13987?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16988137#comment-16988137
] 

Joel Bernstein commented on SOLR-13987:
---------------------------------------

There needs to consensus on issues like this, I'm certain there is no consensus on something
like dropping the entire UI yet, or replacing it with something drastically different. Let's
mitigate the risk first. And come to consensus about a long term plan for UI. 

I'm happy to move forward with the headless solutions as an interim step.

> fix admin UI to not rely on javascript eval()
> ---------------------------------------------
>
>                 Key: SOLR-13987
>                 URL: https://issues.apache.org/jira/browse/SOLR-13987
>             Project: Solr
>          Issue Type: Improvement
>      Security Level: Public(Default Security Level. Issues are Public) 
>            Reporter: Robert Muir
>            Priority: Major
>
> Followup from SOLR-13982: currently any CSP is weak because it must allow this eval:
means arbitrary javascript can still be executed. 
> Let's fix the admin UI to not require eval so it can be disabled by the browser.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@lucene.apache.org
For additional commands, e-mail: issues-help@lucene.apache.org


Mime
View raw message