Details
-
Improvement
-
Status: Closed
-
Minor
-
Resolution: Fixed
-
8.4
-
None
Description
Years ago, to make things "simpler" in some of our example configs, we did this:
<queryResponseWriter name="json" class="solr.JSONResponseWriter">}} <!-- For the purposes of the tutorial, JSON responses are written as plain text so that they are easy to read in any browser. If you expect a MIME type of "application/json" just remove this override. --> <str name="content-type">text/plain; charset=UTF-8</str> </queryResponseWriter>
Today, this causes havoc when you have a JSONP XHR request combined with new browsers since they expect application/json. The Quepid project definitely gets this as an error 
As of Solr 8.4.1, Solr ships with more restrictive security options by default. This, along with a early 2020 change by all the browser vendors has tightened up the rules for browser CORS interaction. The new default of nosniff for X-Content-Type-Options appears to be breaking this functionality, which interferes with outside websites accessing a Solr instance directly. The default configuration that ships with 8.4.1 now only allows such requests to originate from the Solr host itself.
I'd like to remove the text/plain from our example configsets so future users don't get bit by this.
