[jira] [Commented] (SLING-3469) Provide out of the box CSRF protection

Cris Rockwell (Jira) Thu, 02 Sep 2021 07:15:06 -0700


    [ 
https://issues.apache.org/jira/browse/SLING-3469?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17408867#comment-17408867
 ]


Cris Rockwell commented on SLING-3469:
--------------------------------------

After reviewing a few posts about Adobe Integrated Runtime * 
[https://tracker.adobe.com/#/view/AIR-2945647]
 * 
[https://community.adobe.com/t5/air-discussions/htmlloader-and-quot-referer-quot-request-header/td-p/3614351#3841814]

I recommend removing the code above that allows SWF apps (and others) that 
bypass the ReferrerFilter using the app:// exception.

> Provide out of the box CSRF protection
> --------------------------------------
>
>                 Key: SLING-3469
>                 URL: https://issues.apache.org/jira/browse/SLING-3469
>             Project: Sling
>          Issue Type: Improvement
>            Reporter: Raviteja Lokineni
>            Priority: Critical
>
> One such vulnerability can found on the default login form for 
> FormBasedAuthenticationHandler.
> Grails framework has implemented this protection using custom tag library and 
> filters. Ref: http://grails.org/doc/2.2.1/ref/Tags/form.html



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Commented] (SLING-3469) Provide out of the box CSRF protection

Reply via email to