You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@sling.apache.org by "Dan Klco (Jira)" <ji...@apache.org> on 2023/05/12 01:38:00 UTC
[jira] [Created] (SLING-11871) Referrer Filter - Enable Bypass for Requests with Origin Header
Dan Klco created SLING-11871:
--------------------------------
Summary: Referrer Filter - Enable Bypass for Requests with Origin Header
Key: SLING-11871
URL: https://issues.apache.org/jira/browse/SLING-11871
Project: Sling
Issue Type: Improvement
Components: Sling Security
Affects Versions: Security 1.1.24
Reporter: Dan Klco
Assignee: Dan Klco
Fix For: Security 1.1.26
The Referrer Filter in Apache Sling Security blocks requests without a Referrer or a non-allow listed Referrer. Therefore Referrer filter will also block external CORS requests which rather than using the Referrer, like standard browser requests, use the Origin header.
We should therefore enable bypassing the ReferrerFilter for requests containing an Origin header. These requests would need to be separately validated by something else to ensure the Origin is valid.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)