in src/main/java/org/apache/sling/security/impl/ReferrerFilter.java [387:431]
boolean isValidRequest(final HttpServletRequest request) {
// ignore referrer check if the request matches any of the configured excluded path.
if (isExcludedPath(request)) {
return true;
}
String referrer = request.getHeader("referer");
// use the origin if the referrer is not set
if (referrer == null || referrer.trim().length() == 0) {
referrer = request.getHeader("origin");
}
// check for missing/empty referrer
if (referrer == null || referrer.trim().length() == 0) {
if (!this.allowEmpty) {
this.logger.info("Rejected empty referrer header for {} request to {}", request.getMethod(), request.getRequestURI());
}
return this.allowEmpty;
}
// check for relative referrer - which is always allowed
if (!referrer.contains(":/")) {
return true;
}
final HostInfo info = getHost(referrer);
if (info == null) {
// if this is invalid we just return invalid
this.logger.info("Rejected illegal referrer header for {} request to {} : {}", request.getMethod(), request.getRequestURI(), referrer);
return false;
}
// allow the request if the host name of the referrer is
// the same as the request's host name
if (info.host.equals(request.getServerName())) {
return true;
}
// allow the request if the referrer matches any of the allowed referrers
boolean valid = isValidUriReferrer(info) || isValidRegexReferrer(info);
if (!valid) {
this.logger.info("Rejected referrer header for {} request to {} : {}", request.getMethod(), request.getRequestURI(), referrer);
}
return valid;
}