laminelam commented on PR #1792: URL: https://github.com/apache/solr/pull/1792#issuecomment-1699933444
> > > Eager to get this into 9.4. Let me know if we can help finalizing these two PRs > > > > > > @janhoy I should push a new commit sometime today. I have changed little bit your CSP patch, I just need to add a test class for LoadAdminUiServlet. > > Cool. In my patch i completely disabled CSP response for all other endpoints than the `AdminUIServlet`. I cannot see a reason to return that header for other endpoints. The only I can think of is if you have a solr package that exposes another UI on some path, it could be nice to protect that UI with CSP rules, so if it would be possible to have some fallback CSP header for all other requests perhaps? Yes I was thinking the same thing, we don't need this header for non browser targeted servlets (API endpoint, etc), so it will be just ignored by other endpoints. Now, I am not sure of a scenario where we would need a different UI servlet exposed on a different path. Let me think about it and get back to you hopefully by tomorrow. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org For additional commands, e-mail: issues-h...@solr.apache.org
