Hello Daniel On 28.05.2015 10:11, Daniel Sungjin Jung wrote: > Checking “Allow Empty” checkbox in Apache Sling Referrer Filter is not > recommended in production service. > I’d like to know what specific security risks we face if we turn it on for > production service.
Apart from the obvious cases (bugs in browser/plugins, MitM) which allow for HTTP header manipulation but often allow complete circumvention of CSRF protections anyway, there have been several cases where it was possible to strip the referrer header client-side using some tricks with javascript and iframes (e.g. [0], [1]). Best greetings Lars [0] http://homakov.blogspot.com/2012/04/playing-with-referer-origin-disquscom.html [1] http://webstersprodigy.net/2013/02/01/stripping-the-referer-in-a-cross-domain-post-request/