From issues-return-6140-archive-asf-public=cust-asf.ponee.io@lucene.apache.org Wed Dec 4 19:42:02 2019 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [207.244.88.153]) by mx-eu-01.ponee.io (Postfix) with SMTP id 23654180656 for ; Wed, 4 Dec 2019 20:42:02 +0100 (CET) Received: (qmail 63767 invoked by uid 500); 4 Dec 2019 19:42:01 -0000 Mailing-List: contact issues-help@lucene.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@lucene.apache.org Delivered-To: mailing list issues@lucene.apache.org Received: (qmail 63756 invoked by uid 99); 4 Dec 2019 19:42:01 -0000 Received: from mailrelay1-us-west.apache.org (HELO mailrelay1-us-west.apache.org) (209.188.14.139) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 04 Dec 2019 19:42:01 +0000 Received: from jira-he-de.apache.org (static.172.67.40.188.clients.your-server.de [188.40.67.172]) by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTP id B4B25E2589 for ; Wed, 4 Dec 2019 19:42:00 +0000 (UTC) Received: from jira-he-de.apache.org (localhost.localdomain [127.0.0.1]) by jira-he-de.apache.org (ASF Mail Server at jira-he-de.apache.org) with ESMTP id 35D12780476 for ; Wed, 4 Dec 2019 19:42:00 +0000 (UTC) Date: Wed, 4 Dec 2019 19:42:00 +0000 (UTC) From: "Joel Bernstein (Jira)" To: issues@lucene.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Comment Edited] (SOLR-13987) fix admin UI to not rely on javascript eval() MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/SOLR-13987?page=3Dcom.atlassian= .jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=3D1698= 8137#comment-16988137 ]=20 Joel Bernstein edited comment on SOLR-13987 at 12/4/19 7:41 PM: ---------------------------------------------------------------- There needs to be consensus on issues like this. I'm certain there is no co= nsensus on something like dropping the entire UI yet, or replacing it with = something drastically different. Let's mitigate the risk first. And come to= consensus about a long term plan for the UI.=C2=A0 I'm happy to move forward with the headless solution as an interim step. was (Author: joel.bernstein): There needs to consensus on issues like this. I'm certain there is no conse= nsus on something like dropping the entire UI yet, or replacing it with som= ething drastically different. Let's mitigate the risk first. And come to co= nsensus about a long term plan for the UI.=C2=A0 I'm happy to move forward with the headless solution as an interim step. > fix admin UI to not rely on javascript eval() > --------------------------------------------- > > Key: SOLR-13987 > URL: https://issues.apache.org/jira/browse/SOLR-13987 > Project: Solr > Issue Type: Improvement > Security Level: Public(Default Security Level. Issues are Public)=20 > Reporter: Robert Muir > Priority: Major > > Followup from SOLR-13982: currently any CSP is weak because it must allow= this eval: means arbitrary javascript can still be executed.=20 > Let's fix the admin UI to not require eval so it can be disabled by the b= rowser. -- This message was sent by Atlassian Jira (v8.3.4#803005) --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscribe@lucene.apache.org For additional commands, e-mail: issues-help@lucene.apache.org