[ https://issues.apache.org/jira/browse/SLING-4019?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Antonio Sanso resolved SLING-4019. ---------------------------------- Resolution: Fixed fixed in r1660146 > ReferrerFilter should have DEFAULT_ALLOW_EMPTY set to false > ----------------------------------------------------------- > > Key: SLING-4019 > URL: https://issues.apache.org/jira/browse/SLING-4019 > Project: Sling > Issue Type: Bug > Reporter: Antonio Sanso > Assignee: Antonio Sanso > > The ReferrerFilter should have DEFAULT_ALLOW_EMPTY set to false. > The reasons is that the attacker can force an empty referrer in at least two > ways: > - is the victim site runs using http the attacker can create a "mallory page" > under an https site. In this case (namely https-to-http) the referrer is not > passed. > - The attacker create a dynamic post doing something like: > {code} > <head> > <script> > function load() { > var postdata = '<form id=dynForm method=POST > action=\'https://www.google.com\'>' + > '<input type=hidden name=email value=exam...@live.com />' > + > '<input type=hidden name=pass value=password />' + > '<input type=hidden name=locale value=en_US />' + > '</form>'; > top.frames[0].document.body.innerHTML=postdata; > top.frames[0].document.getElementById('dynForm').submit(); > } > </script> > </head> > <body onload="load()"> > <iframe src="about:blank" id="noreferer"></iframe> > </body> > </html> > {code} -- This message was sent by Atlassian JIRA (v6.3.4#6332)