janhoy commented on code in PR #1792:
URL: https://github.com/apache/solr/pull/1792#discussion_r1311360400
##########
solr/server/etc/jetty.xml:
##########
@@ -99,6 +100,7 @@
</New>
</Arg>
</Call>
Review Comment:
Ok, think I found a nice generic way of doing it:
```patch
diff --git
a/solr/core/src/java/org/apache/solr/servlet/SolrDispatchFilter.java
b/solr/core/src/java/org/apache/solr/servlet/SolrDispatchFilter.java
--- a/solr/core/src/java/org/apache/solr/servlet/SolrDispatchFilter.java
(revision 7f9a791eaa194001d7e50647c37535705179cc09)
+++ b/solr/core/src/java/org/apache/solr/servlet/SolrDispatchFilter.java
(date 1693473677585)
@@ -23,6 +23,7 @@
import static org.apache.solr.util.tracing.TraceUtils.setTracer;
import com.google.common.annotations.VisibleForTesting;
+import com.google.common.net.HttpHeaders;
import java.io.IOException;
import java.lang.invoke.MethodHandles;
import java.util.List;
@@ -234,6 +235,11 @@
request = wrappedRequest.get();
}
+ // Set fallback CSP header. Can still be overwritten by individual
Handlers
+ response.setHeader(
+ HttpHeaders.CONTENT_SECURITY_POLICY,
+ "default-src 'none'; base-uri 'none'; connect-src 'self';
form-action 'self'; font-src 'self'; frame-ancestors 'none'; img-src 'self'
data:; media-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self';
worker-src 'self';");
+
var span = getSpan(request);
if (getCores().getAuthenticationPlugin() != null) {
if (log.isDebugEnabled()) {
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org
For additional commands, e-mail: issues-h...@solr.apache.org
