Bug #91396
Updated by Oliver Hader over 4 years ago
Scenario
* https://sso.example.org/auth used to authenticate
* https://example.org/?eID=auth used for session transfer/activation (or similar technique, invoking a "callback")
** request header @Referer: https://sso.example.org/auth@
** response header @Location: https://example.org/typo3/@
* https://example.org/typo3/ as redirect
** request header @Referer: https://sso.example.org/auth@ (still the external SSO, since redirected via @Location:@ headers)
** response header @Location: http://example/typo3/index.php?route=%2Fmain&token=1ed543d6ba3594722a69a1969abc15046631d7a5@
* http://example/typo3/index.php?route=%2Fmain&token=1ed543d6ba3594722a69a1969abc15046631d7a5 checking the referrer
** request header @Referer: https://sso.example.org/auth@ (still the external SSO, since redirected via @Location:@ headers)
Observation
* request is actually correct
* referrer is send - but with something "external" from @/typo3/@ (that the subject we want and must protect from being called *directly*)
Variations
* cross-site
** @Referer: https://sso.example.org/auth@
** expected @Referer: https://example.org/typo3/.+@
* same-site
** @Referer: https://example.org/?eID=auth@
** expected @Referer: https://example.org/typo3/.+@
* same-origin (the regular case)
** @Referer: https://example.org/typo3/index.php?route=%2Flogin@
** expected @Referer: https://example.org/typo3/.+@