Hi All,
We have recently encountered an issue with cross domain injection as we are managing multiple sites in dispatcher for multiple site content paths
Example:-
/content/site1/en-us/en.html
/content/site2/en-us/en.html
1) When a user is trying to access the site with www.example.com/content/site1/en-us/en.html this will become as shortened URL as we will implement masking rules and other required rules in rewrite section of the site1 and the URL will become like www.example.com/en.html and page en.html with be served from publisher path /content/site1/en-us/en.html
2) Same with the case www.example1.com/en.html will be served from publisher path /content/site2/en-us/en.html
3) When the same user is trying to access the site with www.example.com/content/site2/en-us/en.html . User is able to access the page en.html of site2 from site1 (i.e. from /content/site2/en-us/en.html )
i.e. Entire content of one site is accessible with another domain
Fix:
Added last 3 lines in the rewrite section of site1 to only allow the content of its own site and block others.
RewriteCond %{HTTP:X-Forwarded-Proto} https
RewriteCond %{REQUEST_URI} !^/apps
RewriteCond %{REQUEST_URI} !^/services
RewriteCond %{REQUEST_URI} !^/content
RewriteCond %{REQUEST_URI} !^/etc
RewriteCond %{REQUEST_URI} !^/home
RewriteCond %{REQUEST_URI} !^/libs
RewriteCond %{REQUEST_URI} !^/bin
RewriteCond %{REQUEST_URI} !^/tmp
RewriteCond %{REQUEST_URI} !^/var
RewriteRule ^/(.*)$ /content/site1/en-us/$1 [NC,PT,L]
RewriteCond %{REQUEST_URI} ^/content
RewriteCond %{REQUEST_URI} !^/content/dam
RewriteRule ^ !/content/site1/$ [R=404,NC,L]
In case if we are using the same DNS to access multiple content paths, paths needs to be allowed in above rules.
