How to edit content security policy when deploying with Helm

[Joshuaariolu]

I'm running Apache Solr 9.8.0 on Amazon EKS using Helm. I want to modify the security-related HTTP headers that Solr sets—specifically, I want to remove 'unsafe-inline' from the Content-Security-Policy (CSP) header. How can I achieve this?

Currently, the CSP is defined in the Jetty configuration (likely in jetty.yaml or jetty-rewrite.xml) with a rule like this:

/solr/* Content-Security-Policy default-src 'none'; base-uri 'none'; connect-src 'self'; form-action 'self'; font-src 'self'; frame-ancestors 'none'; img-src 'self' data:; media-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self'; worker-src 'self';

[janhoy]

Hi. As you say the CSP is hard coded in jetty.xml. So one option could be to mount your own custom jetty.xml file into the solr container as a volume from a ConfigMap. Another option is to build your custom Docker image with just a COPY line in your Dockerfile. A third option is probably to contribute a feature to the solr repo where you make the CSP string configurable using a <Property > tag as in many other jetty config files. Then you have a way to inject your own.

Closing this issue for now, as it is not really a solr-operator issue. Feel free to re-open if more discussion is needed.