[
https://issues.apache.org/jira/browse/SLING-2141?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13065240#comment-13065240
]
Markus Joschko commented on SLING-2141:
---------------------------------------
Is that really worth the effort?
Referer checking is not sufficient to protect against CSRF and might give a
false sense of security.
Only tokens can fully prevent CSRF. However as sling is not generating links
(or provide mechanisms to do, e.g. via a taglibrary) it's up to the application
to do so.
This could be supported by providing a token service that manages the tokens
and can be easily utilized from an application.
> Add a way to check the referrer for modification requests
> ---------------------------------------------------------
>
> Key: SLING-2141
> URL: https://issues.apache.org/jira/browse/SLING-2141
> Project: Sling
> Issue Type: New Feature
> Components: Extensions
> Reporter: Carsten Ziegeler
> Assignee: Carsten Ziegeler
> Fix For: Security 1.0.0
>
>
> To prevent CSRF we could add an additional module which checks the referrer
> (referer header) in combination with a configurable whitelist.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
