You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@sling.apache.org by "Angela Schreiber (Jira)" <ji...@apache.org> on 2022/02/03 13:15:00 UTC

[jira] [Assigned] (SLING-11115) Allow path exemptions for referrer filter

     [ https://issues.apache.org/jira/browse/SLING-11115?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Angela Schreiber reassigned SLING-11115:
----------------------------------------

    Assignee: Angela Schreiber

> Allow path exemptions for referrer filter 
> ------------------------------------------
>
>                 Key: SLING-11115
>                 URL: https://issues.apache.org/jira/browse/SLING-11115
>             Project: Sling
>          Issue Type: Improvement
>          Components: Sling Security
>            Reporter: Lars Krapf
>            Assignee: Angela Schreiber
>            Priority: Major
>
> The referrer filter should have a configuration option to exclude one or several paths from the check. 
> For context:
> It seems that the RedHat SSO IDP sends "Referrer-Policy: no-referrer" by default (to adress some [security concerns|https://tools.ietf.org/id/draft-ietf-oauth-security-topics-14.html#rfc.section.4.2.4]). This breaks the SAML POST binding in conjunction with the Sling referrer filter. Currently the only option to make it work is to allow empty referrers in general, however this weakens the CSRF protection. 
> Allowing to disable the filter for individual paths would allow to solve this use-case with minimal additional risk. 



--
This message was sent by Atlassian Jira
(v8.20.1#820001)