[jira] [Updated] (SLING-9061) Evaluate ORIGIN header in addition to Referer header in ReferrerFilter
[ https://issues.apache.org/jira/browse/SLING-9061?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Dan Klco updated SLING-9061: Fix Version/s: Security 1.1.26 > Evaluate ORIGIN header in addition to Referer header in ReferrerFilter > -- > > Key: SLING-9061 > URL: https://issues.apache.org/jira/browse/SLING-9061 > Project: Sling > Issue Type: Improvement > Components: Extensions >Affects Versions: Security 1.1.16 >Reporter: Konrad Windszus >Priority: Major > Fix For: Security 1.1.26 > > > As discussed in > https://issues.apache.org/jira/browse/SLING-9043?focusedCommentId=17031442=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-17031442 > the origin header should be used to implement some CSRF protection. See also > https://owasp.org/www-project-cheat-sheets/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#verifying-origin-with-standard-headers, > https://seclab.stanford.edu/websec/csrf/csrf.pdf and > https://www.sjoerdlangkemper.nl/2019/02/27/prevent-csrf-with-the-origin-http-request-header/ -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (SLING-9061) Evaluate ORIGIN header in addition to Referer header in ReferrerFilter
[ https://issues.apache.org/jira/browse/SLING-9061?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Carsten Ziegeler updated SLING-9061: Fix Version/s: (was: Security 1.1.22) > Evaluate ORIGIN header in addition to Referer header in ReferrerFilter > -- > > Key: SLING-9061 > URL: https://issues.apache.org/jira/browse/SLING-9061 > Project: Sling > Issue Type: Improvement > Components: Extensions >Affects Versions: Security 1.1.16 >Reporter: Konrad Windszus >Priority: Major > > As discussed in > https://issues.apache.org/jira/browse/SLING-9043?focusedCommentId=17031442=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-17031442 > the origin header should be used to implement some CSRF protection. See also > https://owasp.org/www-project-cheat-sheets/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#verifying-origin-with-standard-headers, > https://seclab.stanford.edu/websec/csrf/csrf.pdf and > https://www.sjoerdlangkemper.nl/2019/02/27/prevent-csrf-with-the-origin-http-request-header/ -- This message was sent by Atlassian Jira (v8.20.1#820001)
[jira] [Updated] (SLING-9061) Evaluate ORIGIN header in addition to Referer header in ReferrerFilter
[ https://issues.apache.org/jira/browse/SLING-9061?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Konrad Windszus updated SLING-9061: --- Summary: Evaluate ORIGIN header in addition to Referer header in ReferrerFilter (was: Evaluate ORIGIN header in addition to Referer header in CSRFFilter) > Evaluate ORIGIN header in addition to Referer header in ReferrerFilter > -- > > Key: SLING-9061 > URL: https://issues.apache.org/jira/browse/SLING-9061 > Project: Sling > Issue Type: Improvement > Components: Extensions >Affects Versions: Security 1.1.16 >Reporter: Konrad Windszus >Priority: Major > Fix For: Security 1.1.22 > > > As discussed in > https://issues.apache.org/jira/browse/SLING-9043?focusedCommentId=17031442=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-17031442 > the origin header should be used to implement some CSRF protection. See also > https://owasp.org/www-project-cheat-sheets/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#verifying-origin-with-standard-headers, > https://seclab.stanford.edu/websec/csrf/csrf.pdf and > https://www.sjoerdlangkemper.nl/2019/02/27/prevent-csrf-with-the-origin-http-request-header/ -- This message was sent by Atlassian Jira (v8.3.4#803005)
