[
https://issues.apache.org/jira/browse/SLING-11115?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Angela Schreiber closed SLING-11115.
------------------------------------
> Allow path exemptions for referrer filter
> ------------------------------------------
>
> Key: SLING-11115
> URL: https://issues.apache.org/jira/browse/SLING-11115
> Project: Sling
> Issue Type: Improvement
> Components: Sling Security
> Reporter: Lars Krapf
> Assignee: Angela Schreiber
> Priority: Major
> Fix For: Security 1.1.24
>
> Time Spent: 2h 20m
> Remaining Estimate: 0h
>
> The referrer filter should have a configuration option to exclude one or
> several paths from the check.
> For context:
> It seems that the RedHat SSO IDP sends "Referrer-Policy: no-referrer" by
> default (to adress some [security
> concerns|https://tools.ietf.org/id/draft-ietf-oauth-security-topics-14.html#rfc.section.4.2.4]).
> This breaks the SAML POST binding in conjunction with the Sling referrer
> filter. Currently the only option to make it work is to allow empty referrers
> in general, however this weakens the CSRF protection.
> Allowing to disable the filter for individual paths would allow to solve this
> use-case with minimal additional risk.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
