You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@sling.apache.org by "Cris Rockwell (Jira)" <ji...@apache.org> on 2021/09/28 13:51:00 UTC

[jira] [Created] (SLING-10843) Referrer Filter allowance for app://

Cris Rockwell created SLING-10843:
-------------------------------------

             Summary: Referrer Filter allowance for app://
                 Key: SLING-10843
                 URL: https://issues.apache.org/jira/browse/SLING-10843
             Project: Sling
          Issue Type: Improvement
          Components: Sling Security
    Affects Versions: Security 1.1.20
            Reporter: Cris Rockwell
            Assignee: Cris Rockwell


Sling's ReferrerFilter has this code in the isValidRequest method.
// check for air referrer - which is always allowedif ( referrer.startsWith("app:/") ) {  return true;
}
[Sling ReferrerFilter|https://github.com/apache/sling-org-apache-sling-security/blob/master/src/main/java/org/apache/sling/security/impl/ReferrerFilter.java]

There's no need to have app:// as a hard-coded allowance around the Referrer Filter, because applications can configure allow.hosts.regexp to allow AIR referrer if needed.

 



--
This message was sent by Atlassian Jira
(v8.3.4#803005)