Commit eeea83ba authored by Matija Obreza's avatar Matija Obreza

Fix: check Referrer header if Origin header is missing or method is GET

- Firefox 67 doesn't send Origin header when using <form> POST
parent 6090c3d8
......@@ -108,7 +108,7 @@ public class OAuthClientOriginCheckFilter extends OncePerRequestFilter {
return true;
}
if (isGet && reqReferrer != null && reqReferrer.startsWith(allowedOrigin)) {
if ((isGet || reqOrigin == null) && reqReferrer != null && reqReferrer.startsWith(allowedOrigin)) {
if (logger.isDebugEnabled()) {
logger.debug("Referrer match: " + reqReferrer + " for " + allowedOrigin);
}
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment