You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@sling.apache.org by "Dan Klco (Jira)" <ji...@apache.org> on 2023/05/12 01:38:00 UTC

[jira] [Created] (SLING-11871) Referrer Filter - Enable Bypass for Requests with Origin Header

Dan Klco created SLING-11871:
--------------------------------

             Summary: Referrer Filter - Enable Bypass for Requests with Origin Header
                 Key: SLING-11871
                 URL: https://issues.apache.org/jira/browse/SLING-11871
             Project: Sling
          Issue Type: Improvement
          Components: Sling Security
    Affects Versions: Security 1.1.24
            Reporter: Dan Klco
            Assignee: Dan Klco
             Fix For: Security 1.1.26


The Referrer Filter in Apache Sling Security blocks requests without a Referrer or a non-allow listed Referrer. Therefore Referrer filter will also block external CORS requests which rather than using the Referrer, like standard browser requests, use the Origin header. 

We should therefore enable bypassing the ReferrerFilter for requests containing an Origin header. These requests would need to be separately validated by something else to ensure the Origin is valid.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)