You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@sling.apache.org by "Carsten Ziegeler (JIRA)" <ji...@apache.org> on 2011/07/14 14:47:00 UTC
[jira] [Created] (SLING-2141) Add a way to check the referrer for
modification requests
Add a way to check the referrer for modification requests
---------------------------------------------------------
Key: SLING-2141
URL: https://issues.apache.org/jira/browse/SLING-2141
Project: Sling
Issue Type: New Feature
Components: Extensions
Reporter: Carsten Ziegeler
Assignee: Carsten Ziegeler
Fix For: Security 1.0.0
To prevent CSRF we could add an additional module which checks the referrer (referer header) in combination with a configurable whitelist.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (SLING-2141) Add a way to check the referrer for
modification requests
Posted by "Markus Joschko (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SLING-2141?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13065240#comment-13065240 ]
Markus Joschko commented on SLING-2141:
---------------------------------------
Is that really worth the effort?
Referer checking is not sufficient to protect against CSRF and might give a false sense of security.
Only tokens can fully prevent CSRF. However as sling is not generating links (or provide mechanisms to do, e.g. via a taglibrary) it's up to the application to do so.
This could be supported by providing a token service that manages the tokens and can be easily utilized from an application.
> Add a way to check the referrer for modification requests
> ---------------------------------------------------------
>
> Key: SLING-2141
> URL: https://issues.apache.org/jira/browse/SLING-2141
> Project: Sling
> Issue Type: New Feature
> Components: Extensions
> Reporter: Carsten Ziegeler
> Assignee: Carsten Ziegeler
> Fix For: Security 1.0.0
>
>
> To prevent CSRF we could add an additional module which checks the referrer (referer header) in combination with a configurable whitelist.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (SLING-2141) Add a way to check the referrer for
modification requests
Posted by "Tobias Bocanegra (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SLING-2141?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13065985#comment-13065985 ]
Tobias Bocanegra commented on SLING-2141:
-----------------------------------------
the localhost check should also include IPv6 address:
if ( "localhost".equals(host) || "127.0.0.1".equals(host) )
> Add a way to check the referrer for modification requests
> ---------------------------------------------------------
>
> Key: SLING-2141
> URL: https://issues.apache.org/jira/browse/SLING-2141
> Project: Sling
> Issue Type: New Feature
> Components: Extensions
> Reporter: Carsten Ziegeler
> Assignee: Carsten Ziegeler
> Fix For: Security 1.0.0
>
>
> To prevent CSRF we could add an additional module which checks the referrer (referer header) in combination with a configurable whitelist.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Closed] (SLING-2141) Add a way to check the referrer for
modification requests
Posted by "Carsten Ziegeler (Closed) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SLING-2141?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Carsten Ziegeler closed SLING-2141.
-----------------------------------
> Add a way to check the referrer for modification requests
> ---------------------------------------------------------
>
> Key: SLING-2141
> URL: https://issues.apache.org/jira/browse/SLING-2141
> Project: Sling
> Issue Type: New Feature
> Components: Extensions
> Reporter: Carsten Ziegeler
> Assignee: Carsten Ziegeler
> Fix For: Security 1.0.0
>
>
> To prevent CSRF we could add an additional module which checks the referrer (referer header) in combination with a configurable whitelist.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (SLING-2141) Add a way to check the referrer for
modification requests
Posted by "Carsten Ziegeler (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SLING-2141?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13065262#comment-13065262 ]
Carsten Ziegeler commented on SLING-2141:
-----------------------------------------
Started a new security module with revision 1146709
> Add a way to check the referrer for modification requests
> ---------------------------------------------------------
>
> Key: SLING-2141
> URL: https://issues.apache.org/jira/browse/SLING-2141
> Project: Sling
> Issue Type: New Feature
> Components: Extensions
> Reporter: Carsten Ziegeler
> Assignee: Carsten Ziegeler
> Fix For: Security 1.0.0
>
>
> To prevent CSRF we could add an additional module which checks the referrer (referer header) in combination with a configurable whitelist.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Resolved] (SLING-2141) Add a way to check the referrer for
modification requests
Posted by "Carsten Ziegeler (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SLING-2141?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Carsten Ziegeler resolved SLING-2141.
-------------------------------------
Resolution: Fixed
> Add a way to check the referrer for modification requests
> ---------------------------------------------------------
>
> Key: SLING-2141
> URL: https://issues.apache.org/jira/browse/SLING-2141
> Project: Sling
> Issue Type: New Feature
> Components: Extensions
> Reporter: Carsten Ziegeler
> Assignee: Carsten Ziegeler
> Fix For: Security 1.0.0
>
>
> To prevent CSRF we could add an additional module which checks the referrer (referer header) in combination with a configurable whitelist.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (SLING-2141) Add a way to check the referrer for
modification requests
Posted by "Carsten Ziegeler (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SLING-2141?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13065263#comment-13065263 ]
Carsten Ziegeler commented on SLING-2141:
-----------------------------------------
Yes, it's right that only tokens prevent full CSRF - however a referrer check can help in certain situations
> Add a way to check the referrer for modification requests
> ---------------------------------------------------------
>
> Key: SLING-2141
> URL: https://issues.apache.org/jira/browse/SLING-2141
> Project: Sling
> Issue Type: New Feature
> Components: Extensions
> Reporter: Carsten Ziegeler
> Assignee: Carsten Ziegeler
> Fix For: Security 1.0.0
>
>
> To prevent CSRF we could add an additional module which checks the referrer (referer header) in combination with a configurable whitelist.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira