


By default Apache Sling Referrer Filter will block all the post requests, if I remove POST from 'Filter Methods' from Apache Sling Referrer Filter it do allow, but i need specific URLS to be allowed not all the requests.
Can some one please help me on this.
Views
Replies
Sign in to like this content
Total Likes
This is the CORS-problem (Cross-Origin Resource Sharing)
Basically, there are two ways of doing this.
1. Have the external domain use a JSONP and implement that interface. (See http://stackoverflow.com/questions/13893361/access-control-allow-origin-localhost).
2. You can manipulate on the Access-Control-Allow-Origin header in your response. (See https://developer.mozilla.org/en-US/docs/HTTP/Access_control_CORS?redirectlocale=en-US&redirectslug=...)
Notice that this is not fully supported by all browsers yet.
edit:
I actually realized there is one more way just configuring the Sling Referrer Filter. Use the steps from http://wem.help.adobe.com/enterprise/en_US/10-0/core/administering/crx_security_checklist.html and enter the domains that can post to the Sling Post in the Allowed hosts. I would advice you to not use any external domains that you don't have control over.
/O
Views
Replies
Sign in to like this content
Total Likes
This is the CORS-problem (Cross-Origin Resource Sharing)
Basically, there are two ways of doing this.
1. Have the external domain use a JSONP and implement that interface. (See http://stackoverflow.com/questions/13893361/access-control-allow-origin-localhost).
2. You can manipulate on the Access-Control-Allow-Origin header in your response. (See https://developer.mozilla.org/en-US/docs/HTTP/Access_control_CORS?redirectlocale=en-US&redirectslug=...)
Notice that this is not fully supported by all browsers yet.
edit:
I actually realized there is one more way just configuring the Sling Referrer Filter. Use the steps from http://wem.help.adobe.com/enterprise/en_US/10-0/core/administering/crx_security_checklist.html and enter the domains that can post to the Sling Post in the Allowed hosts. I would advice you to not use any external domains that you don't have control over.
/O
Views
Replies
Sign in to like this content
Total Likes
At CQ you need to custom implement for specific url.
In general AEM relies on web application/server firewall to protect.For your usecase use referrer header-based solution which can either be achieved using mod_rewrite [1] or something more elaborate like mod_security [2] on the webserver tier.
[1] http://www.webmasterworld.com/forum92/3229.htm
[2] http://modsecurity.org/
Views
Replies
Sign in to like this content
Total Likes
Sham HC wrote...
At CQ you need to custom implement for specific url.
In general AEM relies on web application/server firewall to protect.For your usecase use referrer header-based solution which can either be achieved using mod_rewrite [1] or something more elaborate like mod_security [2] on the webserver tier.
[1] http://www.webmasterworld.com/forum92/3229.htm
[2] http://modsecurity.org/
Hi Sham Thanks you very much for the reply, but in my case as the redirection comes from a payment gate way it is not adding the referrer in request header.
Is it possible to add the referrer header in dispatcher for a particular incoming request ?
Views
Replies
Sign in to like this content
Total Likes
Ove Lindstrm wrote...
This is the CORS-problem (Cross-Origin Resource Sharing)
Basically, there are two ways of doing this.
1. Have the external domain use a JSONP and implement that interface. (See http://stackoverflow.com/questions/13893361/access-control-allow-origin-localhost).
2. You can manipulate on the Access-Control-Allow-Origin header in your response. (See https://developer.mozilla.org/en-US/docs/HTTP/Access_control_CORS?redirectlocale=en-US&redirectslug=...)
Notice that this is not fully supported by all browsers yet.
edit:
I actually realized there is one more way just configuring the Sling Referrer Filter. Use the steps from http://wem.help.adobe.com/enterprise/en_US/10-0/core/administering/crx_security_checklist.html and enter the domains that can post to the Sling Post in the Allowed hosts. I would advice you to not use any external domains that you don't have control over.
/O
Thank you very much
Ove Lindstrm , but in my use case the redirection comes from a payment gate way which does not add referrer header, I guess the allowed hosts will map against the referrer header which again will fail.
Views
Replies
Sign in to like this content
Total Likes
browser-reports Http Referer header with the domains/urls submitted for your particular setup. Payment Gateways should pass it back to next integration layer. Check your payment configuration to pass it. Dispatcher just acts as proxy & does not add anything. If required you can fake using rewrite.
Views
Replies
Sign in to like this content
Total Likes