From bb3e7876354f606da37a9f12034a62405445b024 Mon Sep 17 00:00:00 2001 From: Mike Rylander <mrylander@gmail.com> Date: Tue, 21 Feb 2023 17:04:49 -0500 Subject: [PATCH] Login redirect restriction release notes Signed-off-by: Mike Rylander <mrylander@gmail.com> Signed-off-by: Jason Boyer <JBoyer@equinoxOLI.org> --- docs/RELEASE_NOTES_NEXT/OPAC/login-redirect-restriction.adoc | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 docs/RELEASE_NOTES_NEXT/OPAC/login-redirect-restriction.adoc diff --git a/docs/RELEASE_NOTES_NEXT/OPAC/login-redirect-restriction.adoc b/docs/RELEASE_NOTES_NEXT/OPAC/login-redirect-restriction.adoc new file mode 100644 index 0000000000..ed06019d4f --- /dev/null +++ b/docs/RELEASE_NOTES_NEXT/OPAC/login-redirect-restriction.adoc @@ -0,0 +1,11 @@ +== Restrict login redirect == + +As a security best-practice, Evergreen should not allow arbitrary +redirection on successful login, but instead limit redirection to +local links or configured domains and schemes. + +This feature is controlled by a new global flag called *opac.login_redirect_domains* +which must contain a comma-separated list of domains. All hostnames +under each domain is allowed for redirect, and the scheme of the +redirect URL must be one of http, https, ftp, or ftps. + -- 2.11.0