XSS PROTECTION FOR ADMIN SCREENS
As of version 5.2, dotCMS has shipped with a filter that is designed to minimize XSS and CSRF vunerabilities in the administrative console. To do this, dotCMS blocks direct access to all files under the administrative directories, e.g. /html, /dotAdmin … unless dotCMS is sent a valid referer (or Origin) header.
Prior to dotCMS 5.2, a similar protection was enabled using a plugin known as the CSRFFilter plugin, which is no longer needed.
The XSS prevention behavior is enabled globally by default and can be turned off globally by this property:
XSS_PROTECTION_ENABLED=false
The paths (regexes) that are protected default to the list found here:
They can be overridden if needed by this comma separate property:
XSS_PROTECTED_PATHS=\\A/html/,\\A/c/,\\A/servlets/
With XSS protection, dotCMS expects a valid referer or Origin header. The Origin Header is checked first and if it is not present, dotCMS will fall back to check the referer header. For a request to be valid, one of the following must be true:
- The Origin/referer is the same host name as the request url (normally, this is the case).
- The Origin/referer header has a value equal to a site or alias defined in the site manager (not normal, but maybe).
- The Origin/referer header has a value equal to the “Portal Url” as defined on the Configuration Screen.
- The request is for a *.css file (css @import statements do not set a referer).
If none of these conditions are met and you have a case where you need to allow non-refered access to an administrative file or folder
you can add uris and paths to ignore to a config property IGNORE_REFERER_FOR_PATHS, as comma separated values. dotCMS will ignore all matching uris or, if it ends with an astrick, then all uris that begin with the value, e.g.
# IGNORE_REFERER_FOR_PATHS=/html/common/css.jsp,/html/my-plugin/*
