From bb3e7876354f606da37a9f12034a62405445b024 Mon Sep 17 00:00:00 2001
From: Mike Rylander <mrylander@gmail.com>
Date: Tue, 21 Feb 2023 17:04:49 -0500
Subject: [PATCH] Login redirect restriction release notes

Signed-off-by: Mike Rylander <mrylander@gmail.com>
Signed-off-by: Jason Boyer <JBoyer@equinoxOLI.org>
---
 docs/RELEASE_NOTES_NEXT/OPAC/login-redirect-restriction.adoc | 11 +++++++++++
 1 file changed, 11 insertions(+)
 create mode 100644 docs/RELEASE_NOTES_NEXT/OPAC/login-redirect-restriction.adoc

diff --git a/docs/RELEASE_NOTES_NEXT/OPAC/login-redirect-restriction.adoc b/docs/RELEASE_NOTES_NEXT/OPAC/login-redirect-restriction.adoc
new file mode 100644
index 0000000000..ed06019d4f
--- /dev/null
+++ b/docs/RELEASE_NOTES_NEXT/OPAC/login-redirect-restriction.adoc
@@ -0,0 +1,11 @@
+== Restrict login redirect ==
+
+As a security best-practice, Evergreen should not allow arbitrary
+redirection on successful login, but instead limit redirection to
+local links or configured domains and schemes.
+
+This feature is controlled by a new global flag called *opac.login_redirect_domains*
+which must contain a comma-separated list of domains.  All hostnames
+under each domain is allowed for redirect, and the scheme of the
+redirect URL must be one of http, https, ftp, or ftps.
+
-- 
2.11.0