lucene-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Joel Bernstein (Jira)" <j...@apache.org>
Subject [jira] [Comment Edited] (SOLR-13987) fix admin UI to not rely on javascript eval()
Date Wed, 04 Dec 2019 19:42:00 GMT

    [ https://issues.apache.org/jira/browse/SOLR-13987?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16988137#comment-16988137
] 

Joel Bernstein edited comment on SOLR-13987 at 12/4/19 7:41 PM:
----------------------------------------------------------------

There needs to be consensus on issues like this. I'm certain there is no consensus on something
like dropping the entire UI yet, or replacing it with something drastically different. Let's
mitigate the risk first. And come to consensus about a long term plan for the UI. 

I'm happy to move forward with the headless solution as an interim step.


was (Author: joel.bernstein):
There needs to consensus on issues like this. I'm certain there is no consensus on something
like dropping the entire UI yet, or replacing it with something drastically different. Let's
mitigate the risk first. And come to consensus about a long term plan for the UI. 

I'm happy to move forward with the headless solution as an interim step.

> fix admin UI to not rely on javascript eval()
> ---------------------------------------------
>
>                 Key: SOLR-13987
>                 URL: https://issues.apache.org/jira/browse/SOLR-13987
>             Project: Solr
>          Issue Type: Improvement
>      Security Level: Public(Default Security Level. Issues are Public) 
>            Reporter: Robert Muir
>            Priority: Major
>
> Followup from SOLR-13982: currently any CSP is weak because it must allow this eval:
means arbitrary javascript can still be executed. 
> Let's fix the admin UI to not require eval so it can be disabled by the browser.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@lucene.apache.org
For additional commands, e-mail: issues-help@lucene.apache.org


Mime
View raw message