[
https://issues.apache.org/jira/browse/SOLR-14634?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17152742#comment-17152742
]
ASF subversion and git services commented on SOLR-14634:
--------------------------------------------------------
Commit 5ae0f600afaa2bb435ae6c502fcc646a9a1eb6ca in lucene-solr's branch
refs/heads/branch_8x from Noble Paul
[ https://gitbox.apache.org/repos/asf?p=lucene-solr.git;h=5ae0f60 ]
SOLR-14634: Limit the HTTP security headers to "/solr" end point (#1655)
> Limit the HTTP security headers to /solr end point
> --------------------------------------------------
>
> Key: SOLR-14634
> URL: https://issues.apache.org/jira/browse/SOLR-14634
> Project: Solr
> Issue Type: Improvement
> Security Level: Public(Default Security Level. Issues are Public)
> Affects Versions: 8.6
> Reporter: Noble Paul
> Priority: Blocker
> Time Spent: 0.5h
> Remaining Estimate: 0h
>
> Ideally the CSP headers and other security headers are only required for web
> components such as html/js etc. There should be no need to send it out for a
> {{json}} or{{ javabin}} response. It is unnecessary data that is being sent.
> The problem is our web UI content paths are not easy to differentiate from
> other paths. But the v2 APIs do not need to pay that price and that can be
> easily achieved by adding a pattern to the rules
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org
For additional commands, e-mail: issues-h...@lucene.apache.org
