Login redirect restriction release notes

author Mike Rylander <mrylander@gmail.com>

Tue, 21 Feb 2023 22:04:49 +0000 (17:04 -0500)

committer Jason Boyer <JBoyer@equinoxOLI.org>

Wed, 17 May 2023 14:26:39 +0000 (10:26 -0400)
author Mike Rylander <mrylander@gmail.com>
Tue, 21 Feb 2023 22:04:49 +0000 (17:04 -0500)
committer Jason Boyer <JBoyer@equinoxOLI.org>
Wed, 17 May 2023 14:26:39 +0000 (10:26 -0400)
diff --git a/docs/RELEASE_NOTES_NEXT/OPAC/login-redirect-restriction.adoc b/docs/RELEASE_NOTES_NEXT/OPAC/login-redirect-restriction.adoc

new file mode 100644 (file)

index 0000000..ed06019
--- /dev/null
+++ b/docs/RELEASE_NOTES_NEXT/OPAC/login-redirect-restriction.adoc
@@ -0,0 +1,11 @@
+== Restrict login redirect ==
+
+As a security best-practice, Evergreen should not allow arbitrary
+redirection on successful login, but instead limit redirection to
+local links or configured domains and schemes.
+
+This feature is controlled by a new global flag called *opac.login_redirect_domains*
+which must contain a comma-separated list of domains.  All hostnames
+under each domain is allowed for redirect, and the scheme of the
+redirect URL must be one of http, https, ftp, or ftps.
+
author	Mike Rylander <mrylander@gmail.com>
	Tue, 21 Feb 2023 22:04:49 +0000 (17:04 -0500)
committer	Jason Boyer <JBoyer@equinoxOLI.org>
	Wed, 17 May 2023 14:26:39 +0000 (10:26 -0400)