[
https://issues.apache.org/jira/browse/SLING-10843?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17422544#comment-17422544
]
Alex COLLIGNON commented on SLING-10843:
----------------------------------------
bq. Lars Krapf, Alex COLLIGNON - any thoughts about this proposal?
I would not be able to explain why this prefix was hard-coded. If you have the
option to remove it, then it sounds like good code hygiene. Note that I don't
see a security risk either with the current code. The referer set by
browsers/user-agents is not exposed to attackers*, therefore the app prefix
cannot be abused.
*except during a man in the middle attack but then it is game-over anyway.
> Referrer Filter allowance for app://
> ------------------------------------
>
> Key: SLING-10843
> URL: https://issues.apache.org/jira/browse/SLING-10843
> Project: Sling
> Issue Type: Improvement
> Components: Sling Security
> Affects Versions: Security 1.1.20
> Reporter: Cris Rockwell
> Assignee: Cris Rockwell
> Priority: Major
>
> Sling's ReferrerFilter has this code in the isValidRequest method.
> // check for air referrer - which is always allowedif (
> referrer.startsWith("app:/") ) { return true;
> }
> [Sling
> ReferrerFilter|https://github.com/apache/sling-org-apache-sling-security/blob/master/src/main/java/org/apache/sling/security/impl/ReferrerFilter.java]
> There's no need to have app:// as a hard-coded allowance around the Referrer
> Filter, because applications can configure allow.hosts.regexp to allow AIR
> referrer if needed.
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
