XSS PROTECTION FOR ADMIN SCREENS
As of version 5.2, dotCMS has shipped with a filter that is designed to minimize XSS and CSRF vunerabilities in the administrative console. To do this, dotCMS blocks direct access to all files under the administrative directories, e.g.
/dotAdmin … unless dotCMS is sent a valid referer (or Origin) header. Prior to dotCMS 5.2, a similar protection was enabled using a plugin known as the
CSRFFilter plugin, which is no longer needed.
The XSS prevention behavior is enabled globally by default and can be turned off globally by this property:
The paths (regexes) that are protected default to the list found here: https://github.com/dotCMS/core/blob/master/dotCMS/src/main/java/com/dotcms/filters/interceptor/dotcms/XSSPreventionWebInterceptor.java#L26
and can be overridden if needed by this comma separate property:
With XSS protection, dotCMS expects a valid
Origin header. The
Origin Header is checked first and if it is not present, dotCMS will fall back to check the
referer header. For a request to be valid, one of the following must be true:
- The Origin/referer is the same host name as the request url (normally, this is the case).
- The Origin/referer header has a value equal to a site or alias defined in the site manager (not normal, but maybe).
- The Origin/referer header has a value equal to the “Portal Url” as defined on the Configuration Screen.
- The request is for a *.css file (css @import statements do not set a referer).
If none of these conditions are met and you have a case where you need to allow non-refered access to an administrative file or folder
you can add uris and paths to ignore to a config property
IGNORE_REFERER_FOR_PATHS, as comma separated values. dotCMS will ignore all matching uris or, if it ends with an astrick, then all uris that begin with the value, e.g.