|
The Referer Filtering process can be described as follows:
The LiveCycle server checks the HTTP method used for
invocation:
If it is POST, the LiveCycle server performs
the Referer header check.
If it is GET, the LiveCycle server bypasses the Referer check,
unless CSRF_CHECK_GETS is set to true, in which case it performs
the Referer header check. CSRF_CHECK_GETS is specified in
the web.xml file for your application.
The LiveCycle server checks whether the requested URI is
whitelisted:
If the URI is whitelisted, the server
accepts the request.
If the requested URI is not whitelisted, the server retrieves
the Referer of the request.
If there is a Referer in the request, the server checks whether
it is an Allowed Referer. If it is allowed, the server checks for
a Referer Exception:
If it is an exception, the request
is blocked.
If it is not an exception, the request is passed.
If there is no Referer in the request, the server checks
whether a Null Referer is allowed:
If a Null Referer
is allowed, the request is passed.
If a Null Referer is not allowed, the server checks whether
the requested URI is an exception for the Null Referer and handles
the request accordingly.
The following depicts the CSRF check that LiveCycle performs
when a request is sent to the server.
|
|
|
