Details
-
Improvement
-
Status: Closed
-
Major
-
Resolution: Fixed
-
Security 1.0.2
-
None
Description
The current "allow.hosts" setting of the ReferrerFilter can be configured with a list of trusted hosts.
In a setup where the list of allowed hosts is expending as the application runs, it becomes tricky to keep the configuration in sync.
As an example, a service which supports wilcard uris such as <userId>.my.service.com would be required to modify the reference filter configuration for each user which is hardly doable.
Thus, I would propose to support regex patterns for the list of "allow.hosts". which would still be secure.
The example above would be configured as: allow.hosts=(.*).my.service.com