[ https://issues.apache.org/jira/browse/SLING-11115?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17488704#comment-17488704 ]
Angela Schreiber commented on SLING-11115: ------------------------------------------ [~chaotic] , [~cziegeler] , what do you have in mind when you refer to 'complete paths'? the path-info associated with the request? or rather verify if the request URI ends with any of the configured exempted paths? > Allow path exemptions for referrer filter > ------------------------------------------ > > Key: SLING-11115 > URL: https://issues.apache.org/jira/browse/SLING-11115 > Project: Sling > Issue Type: Improvement > Components: Sling Security > Reporter: Lars Krapf > Assignee: Angela Schreiber > Priority: Major > Fix For: Security 1.1.24 > > > The referrer filter should have a configuration option to exclude one or > several paths from the check. > For context: > It seems that the RedHat SSO IDP sends "Referrer-Policy: no-referrer" by > default (to adress some [security > concerns|https://tools.ietf.org/id/draft-ietf-oauth-security-topics-14.html#rfc.section.4.2.4]). > This breaks the SAML POST binding in conjunction with the Sling referrer > filter. Currently the only option to make it work is to allow empty referrers > in general, however this weakens the CSRF protection. > Allowing to disable the filter for individual paths would allow to solve this > use-case with minimal additional risk. -- This message was sent by Atlassian Jira (v8.20.1#820001)