AEM Dispatcher Cross Domain Injection issue
Hi All,
We have recently encountered an issue with cross domain injection as we are managing multiple sites in dispatcher for multiple site content paths
Example:-
/content/site1/en-us/en.html
/content/site2/en-us/en.html
1) When a user is trying to access the site with www.example.com/content/site1/en-us/en.html this will become as shortened URL as we will implement masking rules and other required rules in rewrite section of the site1 and the URL will become like www.example.com/en.html and page en.html with be served from publisher path /content/site1/en-us/en.html
2) Same with the case www.example1.com/en.html will be served from publisher path /content/site2/en-us/en.html
3) When the same user is trying to access the site with www.example.com/content/site2/en-us/en.html . User is able to access the page en.html of site2 from site1 (i.e. from /content/site2/en-us/en.html )
i.e. Entire content of one site is accessible with another domain
Fix:
Added last 3 lines in the rewrite section of site1 to only allow the content of its own site and block others.
RewriteCond %{HTTP:X-Forwarded-Proto} https
RewriteCond %{REQUEST_URI} !^/apps
RewriteCond %{REQUEST_URI} !^/services
RewriteCond %{REQUEST_URI} !^/content
RewriteCond %{REQUEST_URI} !^/etc
RewriteCond %{REQUEST_URI} !^/home
RewriteCond %{REQUEST_URI} !^/libs
RewriteCond %{REQUEST_URI} !^/bin
RewriteCond %{REQUEST_URI} !^/tmp
RewriteCond %{REQUEST_URI} !^/var
RewriteRule ^/(.*)$ /content/site1/en-us/$1 [NC,PT,L]
RewriteCond %{REQUEST_URI} ^/content
RewriteCond %{REQUEST_URI} !^/content/dam
RewriteRule ^ !/content/site1/$ [R=404,NC,L]
In case if we are using the same DNS to access multiple content paths, paths needs to be allowed in above rules.