You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@sling.apache.org by "Dominique Jäggi (JIRA)" <ji...@apache.org> on 2017/06/09 12:43:18 UTC

[jira] [Commented] (SLING-6937) Referrer Filter: Allow Regex User Agent Exclusions

    [ https://issues.apache.org/jira/browse/SLING-6937?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16044376#comment-16044376 ] 

Dominique Jäggi commented on SLING-6937:
----------------------------------------

after f2f discussions with [~asanso], it was decided to better allow for a list of regex patterns against which the user agent of the request is matched. If the user agent matches, the request is considered a no-browser request and thus the referrer is not checked.

> Referrer Filter: Allow Regex User Agent Exclusions
> --------------------------------------------------
>
>                 Key: SLING-6937
>                 URL: https://issues.apache.org/jira/browse/SLING-6937
>             Project: Sling
>          Issue Type: Improvement
>          Components: Extensions
>    Affects Versions: Security 1.1.2
>            Reporter: Dominique Jäggi
>         Attachments: SLING_6937___Referrer_Filter__Allow_Path_Exclusions.patch
>
>
> For some cases it would be desirable to skip the referrer check altogether for certain resource paths, instead of simply setting "Allow Empty Referrer", thus weakening the security overall instead of only for a well known set of paths for which it would be desirable.
> For this reason i'd like to propose adding a path whitelist to the referrer filter configuration. Patch attached.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)