Isn't the generateToken 'referrer' value supposed to block requests that don't match?

FredSpataro · ‎06-21-2019

Hi All,

I'm security testing a 10.7 Enterprise deployment and came across a situation that I thought was supposed to be blocked. I thought that if the "referrer" value was set in the generateToken request, that the token would be rejected if the client request's referrer value didn't match. Am I miss understanding what that value is used for?

Example:

* Go to: https://<myserver>/portal/sharing/rest/generateToken

- enter username and password

- select Webapp URL

- enter random web site value

- click GenerateToken button

- copy Generated Token value on response

* Open a browser an incognito/in-private browser tab

* Browser to any secured rest services page: ie https://<myserver>/hosted/rest/services/MyGPTools/GPServer/Tool1

- Verifiy that service is secured and redirected to portal login page

* Append token to url: ie https://<myserver>/hosted/rest/services/MyGPTools/GPServer/Tool1?token={paste from response}

- the default browser request does not have a referrer header value so I'm expecting the request to be blocked and redirected back to the login page. But in this test, the REST info display fine and dandy. ???

Maybe I'm simply misunderstanding what this value is used for...

Thanks

TonyGraham

Was there ever any answer to this question? I'm seeing the same behavior in 2025. The "client" parameter to the REST call https://<myserver>/portal/sharing/rest/generateToken is required, but I don't see and/or understand that it has any effect. Any IP (for requestip) and any referer (for referer) appears to be able to use the generated token. So what is "client" for?