You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@sling.apache.org by "Antonio Sanso (JIRA)" <ji...@apache.org> on 2014/10/09 16:15:34 UTC

[jira] [Created] (SLING-4019) ReferrerFilter should have DEFAULT_ALLOW_EMPTY set to false

Antonio Sanso created SLING-4019:
------------------------------------

             Summary: ReferrerFilter should have DEFAULT_ALLOW_EMPTY set to false
                 Key: SLING-4019
                 URL: https://issues.apache.org/jira/browse/SLING-4019
             Project: Sling
          Issue Type: Bug
            Reporter: Antonio Sanso


The ReferrerFilter should have DEFAULT_ALLOW_EMPTY set to false.

The reasons is that the attacker can force an empty referrer in at least two ways:

- is the victim site runs using http the attacker can create a "mallory page" under an https site. In this case (namely https-to-http) the referrer is not passed.
- The attacker create a dynamic post doing something like:

{code}
<head>
<script>
function load() {

    var postdata = '<form id=dynForm method=POST action=\'https://www.google.com\'>' +

                    '<input type=hidden name=email value=example@live.com />' +

                    '<input type=hidden name=pass value=password />' +

                    '<input type=hidden name=locale value=en_US />' +

                    '</form>';
    top.frames[0].document.body.innerHTML=postdata;
    top.frames[0].document.getElementById('dynForm').submit();
}
</script>
</head>
<body onload="load()">
<iframe src="about:blank" id="noreferer"></iframe>
</body>
</html>
{code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)