[ https://issues.apache.org/jira/browse/SLING-2870?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13656884#comment-13656884 ]
Timothee Maret commented on SLING-2870: --------------------------------------- pull request: https://github.com/apache/sling/pull/6 > Support allowed hosts patterns in ReferrerFilter > ------------------------------------------------ > > Key: SLING-2870 > URL: https://issues.apache.org/jira/browse/SLING-2870 > Project: Sling > Issue Type: Improvement > Components: Extensions > Affects Versions: Security 1.0.2 > Reporter: Timothee Maret > > The current "allow.hosts" setting of the ReferrerFilter can be configured > with a list of trusted hosts. > In a setup where the list of allowed hosts is expending as the application > runs, it becomes tricky to keep the configuration in sync. > As an example, a service which supports wilcard uris such as > {noformat} > <userId>.my.service.com > {noformat} > would be required to modify the reference filter configuration for each user > which is hardly doable. > Thus, I would propose to support regex patterns for the list of > "allow.hosts". which would still be secure. > The example above would be configured as: > {noformat} > allow.hosts=*.my.service.com > {noformat} -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira