You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@sling.apache.org by "ASF GitHub Bot (JIRA)" <ji...@apache.org> on 2015/12/22 14:51:46 UTC
[jira] [Commented] (SLING-2870) Support allowed hosts patterns in
ReferrerFilter
[ https://issues.apache.org/jira/browse/SLING-2870?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15068139#comment-15068139 ]
ASF GitHub Bot commented on SLING-2870:
---------------------------------------
Github user tmaret closed the pull request at:
https://github.com/apache/sling/pull/6
> Support allowed hosts patterns in ReferrerFilter
> ------------------------------------------------
>
> Key: SLING-2870
> URL: https://issues.apache.org/jira/browse/SLING-2870
> Project: Sling
> Issue Type: Improvement
> Components: Extensions
> Affects Versions: Security 1.0.2
> Reporter: Timothee Maret
> Assignee: Carsten Ziegeler
> Fix For: Security 1.0.6
>
> Attachments: SLING-2870.patch, SLING-2870.patch
>
>
> The current "allow.hosts" setting of the ReferrerFilter can be configured with a list of trusted hosts.
> In a setup where the list of allowed hosts is expending as the application runs, it becomes tricky to keep the configuration in sync.
> As an example, a service which supports wilcard uris such as {{<userId>.my.service.com}} would be required to modify the reference filter configuration for each user which is hardly doable.
> Thus, I would propose to support regex patterns for the list of "allow.hosts". which would still be secure.
> The example above would be configured as: {{allow.hosts=(.*).my.service.com}}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)