You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@sling.apache.org by "Carsten Ziegeler (Jira)" <ji...@apache.org> on 2022/01/15 15:47:00 UTC

[jira] [Closed] (SLING-10843) Referrer Filter allowance for app://

     [ https://issues.apache.org/jira/browse/SLING-10843?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Carsten Ziegeler closed SLING-10843.
------------------------------------

> Referrer Filter allowance for app://
> ------------------------------------
>
>                 Key: SLING-10843
>                 URL: https://issues.apache.org/jira/browse/SLING-10843
>             Project: Sling
>          Issue Type: Improvement
>          Components: Sling Security
>    Affects Versions: Security 1.1.20
>            Reporter: Cris Rockwell
>            Assignee: Cris Rockwell
>            Priority: Major
>             Fix For: Security 1.1.22
>
>
> Sling's ReferrerFilter has this code in the isValidRequest method.
> // check for air referrer - which is always allowedif ( referrer.startsWith("app:/") ) {  return true;
> }
> [Sling ReferrerFilter|https://github.com/apache/sling-org-apache-sling-security/blob/master/src/main/java/org/apache/sling/security/impl/ReferrerFilter.java]
> There's no need to have app:// as a hard-coded allowance around the Referrer Filter, because applications can configure allow.hosts.regexp to allow AIR referrer if needed.
>  



--
This message was sent by Atlassian Jira
(v8.20.1#820001)