[
https://issues.apache.org/jira/browse/SLING-11115?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17486448#comment-17486448
]
Carsten Ziegeler commented on SLING-11115:
------------------------------------------
[~chaotic] How should such an exclude list look like? Complete paths or path
prefixes?
> Allow path exemptions for referrer filter
> ------------------------------------------
>
> Key: SLING-11115
> URL: https://issues.apache.org/jira/browse/SLING-11115
> Project: Sling
> Issue Type: Improvement
> Components: Sling Security
> Reporter: Lars Krapf
> Priority: Major
>
> The referrer filter should have a configuration option to exclude one or
> several paths from the check.
> For context:
> It seems that the RedHat SSO IDP sends "Referrer-Policy: no-referrer" by
> default (to adress some [security
> concerns|https://tools.ietf.org/id/draft-ietf-oauth-security-topics-14.html#rfc.section.4.2.4]).
> This breaks the SAML POST binding in conjunction with the Sling referrer
> filter. Currently the only option to make it work is to allow empty referrers
> in general, however this weakens the CSRF protection.
> Allowing to disable the filter for individual paths would allow to solve this
> use-case with minimal additional risk.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
