[
https://issues.apache.org/jira/browse/SOLR-15161?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
David Eric Pugh updated SOLR-15161:
-----------------------------------
Description:
Years ago, to make things "simpler" in some of our example configs, we did this:
{noformat}
<queryResponseWriter name="json" class="solr.JSONResponseWriter">}}
<!-- For the purposes of the tutorial, JSON responses are written as
plain text so that they are easy to read in any browser.
If you expect a MIME type of "application/json" just remove this override.
-->
<str name="content-type">text/plain; charset=UTF-8</str>
</queryResponseWriter>{noformat}
Today, this causes havoc when you have a JSONP XHR request combined with new
browsers since they expect application/json. The Quepid project definitely
gets this as an error
!/jira/images/icons/emoticons/wink.png|width=16,height=16,align=absmiddle!
As of Solr 8.4.1, Solr ships with more restrictive security options by default.
This, along with a early 2020 change by all the browser vendors has tightened
up the rules for browser CORS interaction. The new default of \{{nosniff for
X-Content-Type-Options appears to be breaking this functionality, which
interferes with outside websites accessing a Solr instance directly. The
default configuration that ships with 8.4.1 now only allows such requests to
originate from the Solr host itself.}}
I'd like to remove the text/plain from our example configsets so future users
don't get bit by this.
was:
Years ago, to make things "simpler" in some of our example configs, we did this:
{{{{ <queryResponseWriter name="json" class="solr.JSONResponseWriter">}}}}
{{ <!-- For the purposes of the tutorial, JSON responses are written as}}
{{ plain text so that they are easy to read in *any* browser.}}
{{ If you expect a MIME type of "application/json" just remove this override.}}
{{ -->}}}}
{{ <str name="content-type">text/plain; charset=UTF-8</str>}}
{{ </queryResponseWriter>}}
{{Today, this causes havoc when you have a JSONP XHR request combined with new
browsers since they expect application/json. The Quepid project definitely
gets this as an error ;)}}
{{As of Solr 8.4.1, Solr ships with more restrictive security options by
default. This, along with a early 2020 change by all the browser vendors has
tightened up the rules for browser CORS interaction. The new default of
{{nosniff}} for {{X-Content-Type-Options}} appears to be breaking this
functionality, which interferes with outside websites accessing a Solr instance
directly. The default configuration that ships with 8.4.1 now only allows such
requests to originate from the Solr host itself.}}
{{I'd like to remove the text/plain from our example configsets so future users
don't get bit by this.}}
> JSONResponseWriter that have text/plain mimetype causes havoc for some tools
> ----------------------------------------------------------------------------
>
> Key: SOLR-15161
> URL: https://issues.apache.org/jira/browse/SOLR-15161
> Project: Solr
> Issue Type: Improvement
> Components: JSON Request API
> Affects Versions: 8.4
> Reporter: David Eric Pugh
> Assignee: David Eric Pugh
> Priority: Minor
>
> Years ago, to make things "simpler" in some of our example configs, we did
> this:
>
> {noformat}
> <queryResponseWriter name="json" class="solr.JSONResponseWriter">}}
> <!-- For the purposes of the tutorial, JSON responses are written as
> plain text so that they are easy to read in any browser.
> If you expect a MIME type of "application/json" just remove this override.
> -->
> <str name="content-type">text/plain; charset=UTF-8</str>
> </queryResponseWriter>{noformat}
>
> Today, this causes havoc when you have a JSONP XHR request combined with new
> browsers since they expect application/json. The Quepid project definitely
> gets this as an error
> !/jira/images/icons/emoticons/wink.png|width=16,height=16,align=absmiddle!
>
> As of Solr 8.4.1, Solr ships with more restrictive security options by
> default. This, along with a early 2020 change by all the browser vendors has
> tightened up the rules for browser CORS interaction. The new default of
> \{{nosniff for X-Content-Type-Options appears to be breaking this
> functionality, which interferes with outside websites accessing a Solr
> instance directly. The default configuration that ships with 8.4.1 now only
> allows such requests to originate from the Solr host itself.}}
>
> I'd like to remove the text/plain from our example configsets so future users
> don't get bit by this.
>
>
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org
For additional commands, e-mail: issues-h...@lucene.apache.org
