[ https://issues.apache.org/jira/browse/SLING-11115?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17488765#comment-17488765 ]
Angela Schreiber edited comment on SLING-11115 at 2/8/22, 10:50 AM: -------------------------------------------------------------------- [~cziegeler] , i see thanks for the explanation...... so it's \{{HttpServletRequest.getPathInfo}} was (Author: anchela): [~cziegeler] , i see thanks for the explanation...... so it's \{{HttpServletRequest.getPathInfo}} > Allow path exemptions for referrer filter > ------------------------------------------ > > Key: SLING-11115 > URL: https://issues.apache.org/jira/browse/SLING-11115 > Project: Sling > Issue Type: Improvement > Components: Sling Security > Reporter: Lars Krapf > Assignee: Angela Schreiber > Priority: Major > Fix For: Security 1.1.24 > > > The referrer filter should have a configuration option to exclude one or > several paths from the check. > For context: > It seems that the RedHat SSO IDP sends "Referrer-Policy: no-referrer" by > default (to adress some [security > concerns|https://tools.ietf.org/id/draft-ietf-oauth-security-topics-14.html#rfc.section.4.2.4]). > This breaks the SAML POST binding in conjunction with the Sling referrer > filter. Currently the only option to make it work is to allow empty referrers > in general, however this weakens the CSRF protection. > Allowing to disable the filter for individual paths would allow to solve this > use-case with minimal additional risk. -- This message was sent by Atlassian Jira (v8.20.1#820001)