security risk of allow empty referrer in Apache Sling Referrer Filter

[Daniel Sungjin Jung]

Hi ,

Checking “Allow Empty” checkbox in Apache Sling Referrer Filter is not 
recommended in production service.
I’d like to know what specific security risks we face if we turn it on for 
production service.


Best Regards,

Daniel Sungjin Jung
strategic accounts specialist  critical situation manager, digital marketing | 
adobe | •:: +82 (2) 530-8050 | •:: suj...@adobe.commailto:suj...@adobe.com

Re: security risk of allow empty referrer in Apache Sling Referrer Filter

[Lars Krapf]

Hello Daniel

On 28.05.2015 10:11, Daniel Sungjin Jung wrote:
 Checking “Allow Empty” checkbox in Apache Sling Referrer Filter is not 
 recommended in production service.
 I’d like to know what specific security risks we face if we turn it on for 
 production service.

Apart from the obvious cases (bugs in browser/plugins, MitM) which allow
for HTTP header manipulation but often allow complete circumvention of
CSRF protections anyway, there have been several cases where it was
possible to strip the referrer header client-side using some tricks with
javascript and iframes (e.g. [0], [1]).

Best greetings
Lars


[0]
http://homakov.blogspot.com/2012/04/playing-with-referer-origin-disquscom.html
[1]
http://webstersprodigy.net/2013/02/01/stripping-the-referer-in-a-cross-domain-post-request/