[ https://issues.apache.org/jira/browse/SLING-2141?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13065240#comment-13065240 ]
Markus Joschko commented on SLING-2141: --------------------------------------- Is that really worth the effort? Referer checking is not sufficient to protect against CSRF and might give a false sense of security. Only tokens can fully prevent CSRF. However as sling is not generating links (or provide mechanisms to do, e.g. via a taglibrary) it's up to the application to do so. This could be supported by providing a token service that manages the tokens and can be easily utilized from an application. > Add a way to check the referrer for modification requests > --------------------------------------------------------- > > Key: SLING-2141 > URL: https://issues.apache.org/jira/browse/SLING-2141 > Project: Sling > Issue Type: New Feature > Components: Extensions > Reporter: Carsten Ziegeler > Assignee: Carsten Ziegeler > Fix For: Security 1.0.0 > > > To prevent CSRF we could add an additional module which checks the referrer > (referer header) in combination with a configurable whitelist. -- This message is automatically generated by JIRA. For more information on JIRA, see: http://www.atlassian.com/software/jira