SOLR-13982: set security-related http response headers by default

Unfortunately, as a first start this is very weak protection against
e.g. XSS.  This is because some 'unsafe-xxx' rules must be present due
to the insecurity of angular JS: Until SOLR-13987 is fixed, XSS & co are
still easy.
This commit is contained in:
Robert Muir 2019-12-03 06:12:33 -05:00
parent 441abb8319
commit c8c9c10023
2 changed files with 44 additions and 1 deletions

View File

@ -110,6 +110,10 @@ Upgrade Notes
* SOLR-13817: Deprecate legacy SolrCache implementations. Users are encouraged to transition their * SOLR-13817: Deprecate legacy SolrCache implementations. Users are encouraged to transition their
configurations to use org.apache.solr.search.CaffeineCache instead. (ab) configurations to use org.apache.solr.search.CaffeineCache instead. (ab)
* SOLR-13982: Some security-related http headers such as Content-Security-Policy are now set. If you have custom html served
up by Solr's http server that contains inline javascript, it will no longer execute in modern browsers. You can fix your JS
code to not run inline anymore, or edit etc/jetty.xml and weaken the CSP, or remove/alter the headers with a reverse proxy. (rmuir)
New Features New Features
--------------------- ---------------------
* SOLR-13821: A Package store to store and load package artifacts (noble, Ishan Chattopadhyaya) * SOLR-13821: A Package store to store and load package artifacts (noble, Ishan Chattopadhyaya)

View File

@ -82,13 +82,52 @@
</New> </New>
<!-- =========================================================== --> <!-- =========================================================== -->
<!-- RewriteHandle to redirect root to Solr --> <!-- RewriteHandle to set headers, redirect root to Solr -->
<!-- =========================================================== --> <!-- =========================================================== -->
<New id="RewriteHandler" class="org.eclipse.jetty.rewrite.handler.RewriteHandler"> <New id="RewriteHandler" class="org.eclipse.jetty.rewrite.handler.RewriteHandler">
<Set name="rewriteRequestURI">true</Set> <Set name="rewriteRequestURI">true</Set>
<Set name="rewritePathInfo">false</Set> <Set name="rewritePathInfo">false</Set>
<Set name="originalPathAttribute">requestedPath</Set> <Set name="originalPathAttribute">requestedPath</Set>
<!-- security-related headers -->
<Call name="addRule">
<Arg>
<New class="org.eclipse.jetty.rewrite.handler.HeaderPatternRule">
<Set name="pattern">*</Set>
<Set name="name">Content-Security-Policy</Set>
<Set name="value">default-src 'none'; base-uri 'none'; form-action 'self'; frame-ancestors 'none'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-eval'; img-src 'self'; media-src 'self'; font-src 'self'; connect-src 'self';</Set>
</New>
</Arg>
</Call>
<Call name="addRule">
<Arg>
<New class="org.eclipse.jetty.rewrite.handler.HeaderPatternRule">
<Set name="pattern">*</Set>
<Set name="name">X-Content-Type-Options</Set>
<Set name="value">nosniff</Set>
</New>
</Arg>
</Call>
<Call name="addRule">
<Arg>
<New class="org.eclipse.jetty.rewrite.handler.HeaderPatternRule">
<Set name="pattern">*</Set>
<Set name="name">X-Frame-Options</Set>
<Set name="value">SAMEORIGIN</Set>
</New>
</Arg>
</Call>
<Call name="addRule">
<Arg>
<New class="org.eclipse.jetty.rewrite.handler.HeaderPatternRule">
<Set name="pattern">*</Set>
<Set name="name">X-XSS-Protection</Set>
<Set name="value">1; mode=block</Set>
</New>
</Arg>
</Call>
<!-- redirect root to solr -->
<Call name="addRule"> <Call name="addRule">
<Arg> <Arg>
<New class="org.eclipse.jetty.rewrite.handler.RedirectRegexRule"> <New class="org.eclipse.jetty.rewrite.handler.RedirectRegexRule">