When you enable URL redirect filtering, HCL Commerce rejects any
requests that try to redirect to an unauthorized site. This feature is used to prevent phishing
attacks where a link in an HCL Commerce site sends the shopper to another
site.
Examples of URL redirection include:
- URL parameter in a URL command
- reLogonURL in Logon URL command
- URLs defined as click actions in the Marketing Tool. For example,
select * from
collateral where URL like 'http%'
Procedure
-
Open the HCL Commerce
configuration file.
- For a local store (migrated from IBM Websphere Commerce Version 7 or IBM Websphere Commerce Version 8), this is located within the Transaction server Docker container (
ts-app
).
- For a remote store, this is located within the Store server Docker container (
crs-app
).
-
Locate the web module where you want to enable this feature.
For example, if you want to enable this feature for the Stores web module,
modify the following
section:
<Module contextPath="/webapp/wcs/stores"
fileServletEnabled="false" name="Stores"
urlMappingPath="/servlet" webAlias="/wcsstore">
<InitParameters adapters="XML/HTTP, BrowserAdapter"
contextSetName="Store" handleDoubleClick="true"/>
</Module>
Note: If you want to enable this feature for store preview, you must modify the
module context path as followed: Module
contextPath="/webapp/wcs/preview"
.
-
Add a
URLRedirectFilter
element in the Module element as shown in the
following example:
<Module contextPath="/webapp/wcs/stores"
fileServletEnabled="false" name="Stores"
urlMappingPath="/servlet" webAlias="/wcsstore">
<InitParameters adapters="XML/HTTP, BrowserAdapter"
contextSetName="Store" handleDoubleClick="true"/>
<URLRedirectFilter enable="true">
<AllowedHost name="www.mycompany1.com"/>
<AllowedHost name="www.mycompany2.com"/>
<AllowedDomain name="mycompany3.com"/>
</URLRedirectFilter>
</Module>
The
usage of these elements is described in the following list:
- URLRedirectFilter enable="true"
- Specifies whether cross-site scripting protection is enabled. Possible values are true or
false.
- AllowedHost hostname="www.mycompany1.com"
- Specifies a hostname that HCL Commerce allows redirection to. By default, if this
feature is enabled, the Web server hostname that is configured for the HCL Commerce
instance is added to the allowed host list.
- AllowedDomain name="mycompany3.com"
- Specifies an entire domain that HCL Commerce allows redirection to. Use this element
if you want to allow redirection to all hosts in a domain.
Example
In the preceding example URL redirection from the Stores web module is enabled. HCL Commerce allows redirection from the Stores web module to any of the following hosts:
- www.mycompany1.com
- www.mycompany2.com
- www.mycompany3.com
- myhost.mycompany3.com
- myhost2.mycompany3.com
The following hosts would be blocked by HCL Commerce:
- www.mycompany4.com
- myhost.mycompany1.com