SOLR-14634: Limit the HTTP security headers to "/solr" end point (#1655)

This commit is contained in:
Noble Paul 2020-07-07 23:16:32 +10:00 committed by GitHub
parent a88a333d54
commit 5154b6008f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 6 additions and 4 deletions

View File

@ -241,6 +241,8 @@ Optimizations
* SOLR-14554: Add BlockMax-WAND support for queries where the score is requested (Tomás Fernández Löbbe) * SOLR-14554: Add BlockMax-WAND support for queries where the score is requested (Tomás Fernández Löbbe)
* SOLR-14634: Limit the HTTP security headers to "/solr" end point (noble)
Bug Fixes Bug Fixes
--------------------- ---------------------
* SOLR-13264: IndexSizeTrigger aboveOp / belowOp properties not in valid properties. * SOLR-13264: IndexSizeTrigger aboveOp / belowOp properties not in valid properties.

View File

@ -93,7 +93,7 @@
<Call name="addRule"> <Call name="addRule">
<Arg> <Arg>
<New class="org.eclipse.jetty.rewrite.handler.HeaderPatternRule"> <New class="org.eclipse.jetty.rewrite.handler.HeaderPatternRule">
<Set name="pattern">*</Set> <Set name="pattern">/solr/*</Set>
<Set name="name">Content-Security-Policy</Set> <Set name="name">Content-Security-Policy</Set>
<Set name="value">default-src 'none'; base-uri 'none'; connect-src 'self'; form-action 'self'; font-src 'self'; frame-ancestors 'none'; img-src 'self'; media-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self'; worker-src 'self';</Set> <Set name="value">default-src 'none'; base-uri 'none'; connect-src 'self'; form-action 'self'; font-src 'self'; frame-ancestors 'none'; img-src 'self'; media-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self'; worker-src 'self';</Set>
</New> </New>
@ -102,7 +102,7 @@
<Call name="addRule"> <Call name="addRule">
<Arg> <Arg>
<New class="org.eclipse.jetty.rewrite.handler.HeaderPatternRule"> <New class="org.eclipse.jetty.rewrite.handler.HeaderPatternRule">
<Set name="pattern">*</Set> <Set name="pattern">/solr/*</Set>
<Set name="name">X-Content-Type-Options</Set> <Set name="name">X-Content-Type-Options</Set>
<Set name="value">nosniff</Set> <Set name="value">nosniff</Set>
</New> </New>
@ -111,7 +111,7 @@
<Call name="addRule"> <Call name="addRule">
<Arg> <Arg>
<New class="org.eclipse.jetty.rewrite.handler.HeaderPatternRule"> <New class="org.eclipse.jetty.rewrite.handler.HeaderPatternRule">
<Set name="pattern">*</Set> <Set name="pattern">/solr/*</Set>
<Set name="name">X-Frame-Options</Set> <Set name="name">X-Frame-Options</Set>
<Set name="value">SAMEORIGIN</Set> <Set name="value">SAMEORIGIN</Set>
</New> </New>
@ -120,7 +120,7 @@
<Call name="addRule"> <Call name="addRule">
<Arg> <Arg>
<New class="org.eclipse.jetty.rewrite.handler.HeaderPatternRule"> <New class="org.eclipse.jetty.rewrite.handler.HeaderPatternRule">
<Set name="pattern">*</Set> <Set name="pattern">/solr/*</Set>
<Set name="name">X-XSS-Protection</Set> <Set name="name">X-XSS-Protection</Set>
<Set name="value">1; mode=block</Set> <Set name="value">1; mode=block</Set>
</New> </New>