From 5154b6008f54c9d096f5efe9ae347492c23dd780 Mon Sep 17 00:00:00 2001
From: Noble Paul <noblepaul@users.noreply.github.com>
Date: Tue, 7 Jul 2020 23:16:32 +1000
Subject: [PATCH] SOLR-14634: Limit the HTTP security headers to "/solr" end
 point (#1655)

---
 solr/CHANGES.txt          | 2 ++
 solr/server/etc/jetty.xml | 8 ++++----
 2 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/solr/CHANGES.txt b/solr/CHANGES.txt
index 835900a6199..5a4ffd63fc5 100644
--- a/solr/CHANGES.txt
+++ b/solr/CHANGES.txt
@@ -241,6 +241,8 @@ Optimizations
 
 * SOLR-14554: Add BlockMax-WAND support for queries where the score is requested (Tomás Fernández Löbbe)
 
+* SOLR-14634: Limit the HTTP security headers to "/solr" end point (noble)
+
 Bug Fixes
 ---------------------
 * SOLR-13264: IndexSizeTrigger aboveOp / belowOp properties not in valid properties.
diff --git a/solr/server/etc/jetty.xml b/solr/server/etc/jetty.xml
index ecd4f220fe6..e2f4ab09598 100644
--- a/solr/server/etc/jetty.xml
+++ b/solr/server/etc/jetty.xml
@@ -93,7 +93,7 @@
       <Call name="addRule">
         <Arg>
           <New class="org.eclipse.jetty.rewrite.handler.HeaderPatternRule">
-            <Set name="pattern">*</Set>
+            <Set name="pattern">/solr/*</Set>
             <Set name="name">Content-Security-Policy</Set>
             <Set name="value">default-src 'none'; base-uri 'none'; connect-src 'self'; form-action 'self'; font-src 'self'; frame-ancestors 'none'; img-src 'self'; media-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self'; worker-src 'self';</Set>
           </New>
@@ -102,7 +102,7 @@
       <Call name="addRule">
         <Arg>
           <New class="org.eclipse.jetty.rewrite.handler.HeaderPatternRule">
-            <Set name="pattern">*</Set>
+            <Set name="pattern">/solr/*</Set>
             <Set name="name">X-Content-Type-Options</Set>
             <Set name="value">nosniff</Set>
           </New>
@@ -111,7 +111,7 @@
       <Call name="addRule">
         <Arg>
           <New class="org.eclipse.jetty.rewrite.handler.HeaderPatternRule">
-            <Set name="pattern">*</Set>
+            <Set name="pattern">/solr/*</Set>
             <Set name="name">X-Frame-Options</Set>
             <Set name="value">SAMEORIGIN</Set>
           </New>
@@ -120,7 +120,7 @@
       <Call name="addRule">
         <Arg>
           <New class="org.eclipse.jetty.rewrite.handler.HeaderPatternRule">
-            <Set name="pattern">*</Set>
+            <Set name="pattern">/solr/*</Set>
             <Set name="name">X-XSS-Protection</Set>
             <Set name="value">1; mode=block</Set>
           </New>