By default Apache Sling Referrer Filter will block all the post requests, if I remove POST from 'Filter Methods' from Apache Sling Referrer Filter it do allow, but i need specific URLS to be allowed not all the requests.
Can some one please help me on this.
Solved! Go to Solution.
Views
Replies
Total Likes
This is the CORS-problem (Cross-Origin Resource Sharing)
Basically, there are two ways of doing this.
1. Have the external domain use a JSONP and implement that interface. (See http://stackoverflow.com/questions/13893361/access-control-allow-origin-localhost).
2. You can manipulate on the Access-Control-Allow-Origin header in your response. (See https://developer.mozilla.org/en-US/docs/HTTP/Access_control_CORS?redirectlocale=en-US&redirectslug=...)
Notice that this is not fully supported by all browsers yet.
edit:
I actually realized there is one more way just configuring the Sling Referrer Filter. Use the steps from http://wem.help.adobe.com/enterprise/en_US/10-0/core/administering/crx_security_checklist.html and enter the domains that can post to the Sling Post in the Allowed hosts. I would advice you to not use any external domains that you don't have control over.
/O
Views
Replies
Total Likes
This is the CORS-problem (Cross-Origin Resource Sharing)
Basically, there are two ways of doing this.
1. Have the external domain use a JSONP and implement that interface. (See http://stackoverflow.com/questions/13893361/access-control-allow-origin-localhost).
2. You can manipulate on the Access-Control-Allow-Origin header in your response. (See https://developer.mozilla.org/en-US/docs/HTTP/Access_control_CORS?redirectlocale=en-US&redirectslug=...)
Notice that this is not fully supported by all browsers yet.
edit:
I actually realized there is one more way just configuring the Sling Referrer Filter. Use the steps from http://wem.help.adobe.com/enterprise/en_US/10-0/core/administering/crx_security_checklist.html and enter the domains that can post to the Sling Post in the Allowed hosts. I would advice you to not use any external domains that you don't have control over.
/O
Views
Replies
Total Likes
At CQ you need to custom implement for specific url.
In general AEM relies on web application/server firewall to protect.For your usecase use referrer header-based solution which can either be achieved using mod_rewrite [1] or something more elaborate like mod_security [2] on the webserver tier.
[1] http://www.webmasterworld.com/forum92/3229.htm
[2] http://modsecurity.org/
Views
Replies
Total Likes
Sham HC wrote...
At CQ you need to custom implement for specific url.
In general AEM relies on web application/server firewall to protect.For your usecase use referrer header-based solution which can either be achieved using mod_rewrite [1] or something more elaborate like mod_security [2] on the webserver tier.
[1] http://www.webmasterworld.com/forum92/3229.htm
[2] http://modsecurity.org/
Hi Sham Thanks you very much for the reply, but in my case as the redirection comes from a payment gate way it is not adding the referrer in request header.
Is it possible to add the referrer header in dispatcher for a particular incoming request ?
Views
Replies
Total Likes
Ove Lindstrm wrote...
This is the CORS-problem (Cross-Origin Resource Sharing)
Basically, there are two ways of doing this.
1. Have the external domain use a JSONP and implement that interface. (See http://stackoverflow.com/questions/13893361/access-control-allow-origin-localhost).
2. You can manipulate on the Access-Control-Allow-Origin header in your response. (See https://developer.mozilla.org/en-US/docs/HTTP/Access_control_CORS?redirectlocale=en-US&redirectslug=...)
Notice that this is not fully supported by all browsers yet.
edit:
I actually realized there is one more way just configuring the Sling Referrer Filter. Use the steps from http://wem.help.adobe.com/enterprise/en_US/10-0/core/administering/crx_security_checklist.html and enter the domains that can post to the Sling Post in the Allowed hosts. I would advice you to not use any external domains that you don't have control over.
/O
Thank you very much
Ove Lindstrm , but in my use case the redirection comes from a payment gate way which does not add referrer header, I guess the allowed hosts will map against the referrer header which again will fail.
Views
Replies
Total Likes
browser-reports Http Referer header with the domains/urls submitted for your particular setup. Payment Gateways should pass it back to next integration layer. Check your payment configuration to pass it. Dispatcher just acts as proxy & does not add anything. If required you can fake using rewrite.
Views
Replies
Total Likes
Views
Likes
Replies
Views
Likes
Replies