Hacker News new | past | comments | ask | show | jobs | submit login

I've worked on (non-Atlassian) SSO projects where the provider used the referrer to send the client to the page-after-logout (and occasionally page-after-login) if they weren't set as parameters in some circumstances.

Here's a reference to a F5 device providing SAML SSO services and having a similar issue:

https://www.devcentral.f5.com/s/question/0D51T00007npfjw/chr...




I actually had a member of Atlassian's "security dev team" tell me in a support ticket I opened about being unable to login with referer headers disabled that:

> since we cannot discount the possibility of malicious users programatically generating tokens and forcing them upon users, we check the referer header to ensure that the request chain was initiated in the one place that we're comfortable with: id.atlassian.com

Make of that what you will.


Providing this is the reason Atlassian uses the referrer, then this seems reasonable usage. Thanks for clarifying!




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: