From: Mike Rylander <mrylander@gmail.com>
Date: Tue, 21 Feb 2023 22:04:49 +0000 (-0500)
Subject: Login redirect restriction release notes
X-Git-Url: https://old-git.evergreen-ils.org/?a=commitdiff_plain;h=24bb10fb2850cda0cadacca238241905416b3b85;p=working%2FEvergreen.git

Login redirect restriction release notes

Signed-off-by: Mike Rylander <mrylander@gmail.com>
Signed-off-by: Jason Boyer <JBoyer@equinoxOLI.org>
---

diff --git a/docs/RELEASE_NOTES_NEXT/OPAC/login-redirect-restriction.adoc b/docs/RELEASE_NOTES_NEXT/OPAC/login-redirect-restriction.adoc
new file mode 100644
index 0000000000..ed06019d4f
--- /dev/null
+++ b/docs/RELEASE_NOTES_NEXT/OPAC/login-redirect-restriction.adoc
@@ -0,0 +1,11 @@
+== Restrict login redirect ==
+
+As a security best-practice, Evergreen should not allow arbitrary
+redirection on successful login, but instead limit redirection to
+local links or configured domains and schemes.
+
+This feature is controlled by a new global flag called *opac.login_redirect_domains*
+which must contain a comma-separated list of domains.  All hostnames
+under each domain is allowed for redirect, and the scheme of the
+redirect URL must be one of http, https, ftp, or ftps.
+