You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@sling.apache.org by "Angela Schreiber (Jira)" <ji...@apache.org> on 2022/02/08 10:51:00 UTC
[jira] [Comment Edited] (SLING-11115) Allow path exemptions for referrer filter
[ https://issues.apache.org/jira/browse/SLING-11115?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17488765#comment-17488765 ]
Angela Schreiber edited comment on SLING-11115 at 2/8/22, 10:50 AM:
--------------------------------------------------------------------
[~cziegeler] , i see thanks for the explanation...... so it's {{HttpServletRequest.getPathInfo}}
was (Author: anchela):
[~cziegeler] , i see thanks for the explanation...... so it's \{{HttpServletRequest.getPathInfo}}
> Allow path exemptions for referrer filter
> ------------------------------------------
>
> Key: SLING-11115
> URL: https://issues.apache.org/jira/browse/SLING-11115
> Project: Sling
> Issue Type: Improvement
> Components: Sling Security
> Reporter: Lars Krapf
> Assignee: Angela Schreiber
> Priority: Major
> Fix For: Security 1.1.24
>
>
> The referrer filter should have a configuration option to exclude one or several paths from the check.
> For context:
> It seems that the RedHat SSO IDP sends "Referrer-Policy: no-referrer" by default (to adress some [security concerns|https://tools.ietf.org/id/draft-ietf-oauth-security-topics-14.html#rfc.section.4.2.4]). This breaks the SAML POST binding in conjunction with the Sling referrer filter. Currently the only option to make it work is to allow empty referrers in general, however this weakens the CSRF protection.
> Allowing to disable the filter for individual paths would allow to solve this use-case with minimal additional risk.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)