[
https://issues.apache.org/jira/browse/SLING-9061?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17722288#comment-17722288
] Dan Klco commented on SLING-9061: --------------------------------- Potential PR https://github.com/apache/sling-org-apache-sling-security/pull/9 > Evaluate ORIGIN header in addition to Referer header in ReferrerFilter > ---------------------------------------------------------------------- > > Key: SLING-9061 > URL: https://issues.apache.org/jira/browse/SLING-9061 > Project: Sling > Issue Type: Improvement > Components: Extensions > Affects Versions: Security 1.1.16 > Reporter: Konrad Windszus > Priority: Major > > As discussed in > https://issues.apache.org/jira/browse/SLING-9043?focusedCommentId=17031442&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-17031442 > the origin header should be used to implement some CSRF protection. See also > https://owasp.org/www-project-cheat-sheets/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#verifying-origin-with-standard-headers, > https://seclab.stanford.edu/websec/csrf/csrf.pdf and > https://www.sjoerdlangkemper.nl/2019/02/27/prevent-csrf-with-the-origin-http-request-header/ -- This message was sent by Atlassian Jira (v8.20.10#820010)
