Solved

Difference between Cross-Origin Resource Sharing Policy, Apache Sling Referrer Filter

Forum|Forum|1 year ago
March 20, 2024
1 reply
983 views

Hello Team,

I wanted to know the difference between these configurations.

Adobe Granite Cross-Origin Resource Sharing Policy, Apache Sling Referrer Filter

Thanks

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.

Best answer by TarunKumar

HI @mahesh_gunaje ,

Referrer-header configurations:

This is to allow the trusted servers, AEM has a referrer filter that can be configured.
In config manager, we have a configuration called “Apache Sling Referrer Filter“. This has below configs

which http methods should be filtered
whether an empty referrer header is allowed
a white list of servers to be allowed in addition to the server host.

Adobe Granite Cross Origin Resource Sharing Policy:
Adobe Experience Manager’s Cross-Origin Resource Sharing (CORS) facilitates non-AEM web properties to make client-side calls to AEM, both authenticated and unauthenticated, to fetch content or directly interact with AEM.

In addition to these two, one can implement Cross origin request sharing by using JSONP calls/ manipulating Access-Control-Allow-Origin in request header.

AEM 6.3 has introduced Cross-Origin Resource sharing configuration that allows authenticated and unauthenticated client side calls. This has configuration for allowed methods (POST,GET,DELETE.etc.,)

Thanks
Tarun

TarunKumar

Accepted solution

Community Advisor

HI @mahesh_gunaje ,

Referrer-header configurations:

This is to allow the trusted servers, AEM has a referrer filter that can be configured.
In config manager, we have a configuration called “Apache Sling Referrer Filter“. This has below configs

which http methods should be filtered
whether an empty referrer header is allowed
a white list of servers to be allowed in addition to the server host.

Adobe Granite Cross Origin Resource Sharing Policy:
Adobe Experience Manager’s Cross-Origin Resource Sharing (CORS) facilitates non-AEM web properties to make client-side calls to AEM, both authenticated and unauthenticated, to fetch content or directly interact with AEM.

In addition to these two, one can implement Cross origin request sharing by using JSONP calls/ manipulating Access-Control-Allow-Origin in request header.

AEM 6.3 has introduced Cross-Origin Resource sharing configuration that allows authenticated and unauthenticated client side calls. This has configuration for allowed methods (POST,GET,DELETE.etc.,)

Thanks
Tarun

M

Mahesh_GunajeAuthor

Hi @tarunkumar

I am bit confused.

Apache Sling Referrer Filter Configuration.

which http methods should be filtered: I can see POST, PUT, DELETE methods. So, what this does?

For example: Using Assets Http API, I have created API for GET, Post methods. So that www.restapp.com can consume my Post, GET calls to do some stuff.

So, I need to do below mentioned steps:

1: Go to Adobe Granite Cross-Origin Resource Sharing Policy configuration.

Mention: www.restapp.com under "Allowed Origins" section. Allowed methods: GET, POST.

Query is : Do I need to add any configuration for Apache Sling Referrer Filter??

Next time, I will allow www.angularapp.com to access my same GET, POST api. In this case, I need to add once more entry for Adobe Granite Cross-Origin Resource Sharing Policy configuration.

Whats the role of "Allow Hosts" under: Apache Sling Referrer Filter

M

Mahesh_GunajeAuthor

Hey @tarunkumar

One more query. Consider this scenario:

I have created ASSET http API. Its GET method only. Now, 3rd party Spring boot application will use my GET API from their java logic. Now, what minimum configuration, I need to do? I assume CORS setting is not required. Since, 3rd party application uses backend java logic to hit my API.

Referrer-header configurations:

Referrer-header configurations:

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded