Short Description: Tells the Domino server to accept iNotes commands with HTTP Referer values
Scenario: Your environment contains more than one second-level DNS domain, or a proxy server in one domain proxies access to iNotes servers in a different domain
If a proxy server in domain *.ibm.com proxies access to iNotes servers in *.lotus.com, iNotes needs to be configured to treat both *.ibm.com and *.lotus.com as valid/trusted domains. Consider taking this step if you have multiple domains even if you do not have a proxy in place at the time you install this update, to avoid potential problems later.To do this, change the iNotes_WA_Security_RefererWhitelist setting in the Domino server's notes.ini file to list all of the domains. If this setting has a value, it overrides any defaults. For example:
This tells the Domino server to accept iNotes commands with HTTP Referer values containing both *.ibm.com and *.lotus.com.
If your environment contains multiple DNS domains, and the unauthorized domain reported in the Server Console Display (e.g. www.baddomain.com, as shown in the table above) is actually one of the domains in your environment, then it is likely that there is a configuration issue.
If none of the configurations described in the Problem section above applies to you, then your server may have been the target of a Cross-Site Request Forgery attack. If that is true, the information in the error message may be able to help you identify the attacker and/or the user account that was targeted. For example, in the following error message, the mail file targetmail.nsf was the target of the blocked request. The request is likely to have originated by a page loaded from the site www.baddomain.com.
11/13/2009 11:49:15.73 AM [02E4:000B-0F40] XSS:> Referer Check Error: Request originated from a different domain: baddomain.
Bad Request: /mail/targetmail.nsf/($Inbox)/$new/?EditDocument&Form=h_PageUI&PresetFields=s_ViewName;(%24Inbox),s_NotesForm;Journ
11/13/2009 11:49:15 AM iNotes XSS Security: Referer Check Error: Unauthorizeddomain www.baddomain.com attempted to issue an iNotes command. Request not processed
If you have determined that you have been the target of an attack, take appropriate measures to respond to the situation. For information about these types of attacks, see Cross-Site Request Forgery page from OWASP.
If the Referer value is invalid or removed by a proxy server, or if it references a different second-level HTTP domain than that of the iNotes server, then you need to change your configuration. Use the table below and the scenarios provided in this section to determine the relevant Notes.ini setting you may need to add, based on your configuration.
Note that the Domino console command set config can be used to modify these settings and avoid a restart of the entire Domino server. After setting the value just restart Domino HTTP task and the setting will take effect. For example:
> set config iNotes_WA_Security_RefererCheck=0
> tell http restart
|Referer header checking is disabled|
|Strict Referer header checking is enabled (default) - Post requests must have a Referer header. If a whitelists exists, the Referer header must match an entry there. If no whitelist exists (default), the Referer header must match the server's domain.|
|Lenient Referer checking is enabled - Post requests are not required to have a Referer header. If a Referer header does exist and if a whitelists exists, the Referer header must match an entry on the whitelist. If a Referer header does exist and no whitelist exists, the Referer header must match the server's domain.|
|<domain>||Explicitly defines Referer headers that will be accepted, for example domain1.com.|
There is no kown UI setting for this notes.ini variable. But you can specify this setting in the notes.ini settings tab of the configuration settings document.