Antonio Sanso created SLING-4019: ------------------------------------ Summary: ReferrerFilter should have DEFAULT_ALLOW_EMPTY set to false Key: SLING-4019 URL: https://issues.apache.org/jira/browse/SLING-4019 Project: Sling Issue Type: Bug Reporter: Antonio Sanso
The ReferrerFilter should have DEFAULT_ALLOW_EMPTY set to false. The reasons is that the attacker can force an empty referrer in at least two ways: - is the victim site runs using http the attacker can create a "mallory page" under an https site. In this case (namely https-to-http) the referrer is not passed. - The attacker create a dynamic post doing something like: {code} <head> <script> function load() { var postdata = '<form id=dynForm method=POST action=\'https://www.google.com\'>' + '<input type=hidden name=email value=exam...@live.com />' + '<input type=hidden name=pass value=password />' + '<input type=hidden name=locale value=en_US />' + '</form>'; top.frames[0].document.body.innerHTML=postdata; top.frames[0].document.getElementById('dynForm').submit(); } </script> </head> <body onload="load()"> <iframe src="about:blank" id="noreferer"></iframe> </body> </html> {code} -- This message was sent by Atlassian JIRA (v6.3.4#6332)