Cross Site RequestsΒΆ

The Curity Identity Server contains a feature that blocks requests from cross-site origins to plugin request handlers. Each plugin can programmatically define the set of handlers can be accessed on cross-site request and the ones that are only usable on same-site requests. This feature is described in Cross-site Plugin Handlers.

However, it is also possible to override this policy using the following system properties:

  • se.curity.crosssite.block.enabled - When set to false the blocking behavior is disabled and all cross-site requests are allowed, independently of the individual plugin policy. The default value is true.
  • se.curity.crosssite.block.authenticators.deny - This property receives a comma separated list of authenticator type names (e.g. html-form), for which cross-site access should be blocked. It can be used to make sure a given authenticator is not accessed on cross-site requests, independently of its implementation. The default value is an empty list.
  • se.curity.crosssite.block.actions.deny - This property receives a comma separated list of authentication action type names (e.g. attribute-prompt), for which cross-site access should be blocked. It can be used to make sure a given authentication action is not accessed on cross-site requests, independently of its implementation. The default value is an empty list.