[ https://issues.apache.org/jira/browse/SLING-9043?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17031428#comment-17031428 ]
Lars Krapf commented on SLING-9043: ----------------------------------- Hello [~reschke] COPY (and yes, MOVE as well) are state-changing operations and should ideally be protected against CSRF as a defense-in-depth measure in case of an overly permissive CORS (or even same-site) configuration. The attack consists of luring a victim to an attacker's site, and then do an COPY XHR to the target, abusing the fact that the victim is authenticated and their browser will be automatically sending a session token. Since the referrer will be the attackers site this attack would be mitigated by the referrer filter (analogous to PUT and DELETE already present in the list). > COPY should be in the referer filter's default list of protected HTTP methods > ----------------------------------------------------------------------------- > > Key: SLING-9043 > URL: https://issues.apache.org/jira/browse/SLING-9043 > Project: Sling > Issue Type: Bug > Components: Resource Access Security > Reporter: Sonal Gupta > Priority: Major > Labels: vulnerability > > The COPY method , by default, is not in the list of methods covered by the > CSRF Referer filter. This might allow an attacker to copy files (abusing the > privileges of a logged in victim) using CSRF. -- This message was sent by Atlassian Jira (v8.3.4#803005)