BTBurke / caddy-jwt

JWT middleware for the Caddy server
MIT License
115 stars 39 forks source link

Set referer header on redirect #40

Closed xombiemp closed 5 years ago

xombiemp commented 5 years ago

I’d like the referer header to be set when using the redirect option.

My specific reason is that when used in conjunction with the http.login middleware, it requires a referer host to match the redirect host after successful login by default. Since jwt doesn’t set the referer, one has to disable the referer checking in the login plugin for it to work correctly.

igor-petruk commented 5 years ago

I don't think the plugin can set referrer that easily. It is the browser who decides what to send.

I am struggling with the same problem here and I don't have the solution.

The best Caddy can do is to set this

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy

You can already do that using existing "header" rule in Caddyfile. I've experimented through various options using the "header" setting and none of them work by setting a correct referrer. The best I've got is to get it to set Referer to a target host (not the app, but the SSO url) and this is useless. It is not clear to my why my browser does it, so I suppose the complexity lies client side.

You can try to fix your problem with the "header" rule and then it might be possible to built-in this feature in the plugin.

magikstm commented 5 years ago

I don't think it is an issue in caddy-jwt.

Redirect option is used for that: If the optional redirect is set, the middleware will send a redirect to the supplied location (HTTP 303) instead of an access denied code, if the access is denied.

This suggested info could be looked at in login plugins: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy

Refer to this issue for a discussion in loginsrv on the subject: https://github.com/tarent/loginsrv/issues/97

xombiemp commented 5 years ago

Thanks for your replies. I didn't realize that the Referer header was fully controlled by the browser. I guess it's not possible to force a Referer header on the redirect.