[jira] [Created] (SLING-10843) Referrer Filter allowance for app://

Cris Rockwell (Jira) Tue, 28 Sep 2021 06:51:11 -0700

Cris Rockwell created SLING-10843:
-------------------------------------

             Summary: Referrer Filter allowance for app://
                 Key: SLING-10843
                 URL: https://issues.apache.org/jira/browse/SLING-10843
             Project: Sling
          Issue Type: Improvement
          Components: Sling Security
    Affects Versions: Security 1.1.20
            Reporter: Cris Rockwell
            Assignee: Cris Rockwell



Sling's ReferrerFilter has this code in the isValidRequest method.
// check for air referrer - which is always allowedif ( 
referrer.startsWith("app:/") ) {  return true;
}
[Sling 
ReferrerFilter|https://github.com/apache/sling-org-apache-sling-security/blob/master/src/main/java/org/apache/sling/security/impl/ReferrerFilter.java]

There's no need to have app:// as a hard-coded allowance around the Referrer 
Filter, because applications can configure allow.hosts.regexp to allow AIR 
referrer if needed.

 



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Created] (SLING-10843) Referrer Filter allowance for app://

Reply via email to