[
https://issues.apache.org/jira/browse/SOLR-13987?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16990285#comment-16990285
]
Kevin Risden commented on SOLR-13987:
-------------------------------------
Patch: [^SOLR-13987.patch]
PR: https://github.com/apache/lucene-solr/pull/1066/
I think this is the minimal set of changes required. I didn't need to upgrade
jstree or jquery. This removes the 'unsafe-eval'.
I left 'style-src 'self' 'unsafe-inline';' after I couldn't figure out how to
easily fix the dynamic styles between angular-chosen, jstree, and jquery.
I tested this on Chrome on a Mac clicking around and creating collections. I
think I checked >90% of the UI if not all of it. Would appreciate a second set
of eyes if anyone can try it out.
> fix admin UI to not rely on javascript eval()
> ---------------------------------------------
>
> Key: SOLR-13987
> URL: https://issues.apache.org/jira/browse/SOLR-13987
> Project: Solr
> Issue Type: Improvement
> Security Level: Public(Default Security Level. Issues are Public)
> Components: Admin UI
> Reporter: Robert Muir
> Assignee: Kevin Risden
> Priority: Major
> Attachments: SOLR-13987.patch
>
> Time Spent: 10m
> Remaining Estimate: 0h
>
> Followup from SOLR-13982: currently any CSP is weak because it must allow
> this eval: means arbitrary javascript can still be executed.
> Let's fix the admin UI to not require eval so it can be disabled by the
> browser.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org
For additional commands, e-mail: issues-h...@lucene.apache.org
