From: Mike Rylander <mrylander@gmail.com>
Date: Tue, 21 Feb 2023 22:04:49 +0000 (-0500)
Subject: Login redirect restriction release notes
X-Git-Url: http://git.equinoxoli.org/?p=evergreen-equinox.git;a=commitdiff_plain;h=24bb10fb2850cda0cadacca238241905416b3b85

Login redirect restriction release notes

Signed-off-by: Mike Rylander <mrylander@gmail.com>
Signed-off-by: Jason Boyer <JBoyer@equinoxOLI.org>
---

diff --git a/docs/RELEASE_NOTES_NEXT/OPAC/login-redirect-restriction.adoc b/docs/RELEASE_NOTES_NEXT/OPAC/login-redirect-restriction.adoc
new file mode 100644
index 0000000..ed06019
--- /dev/null
+++ b/docs/RELEASE_NOTES_NEXT/OPAC/login-redirect-restriction.adoc
@@ -0,0 +1,11 @@
+== Restrict login redirect ==
+
+As a security best-practice, Evergreen should not allow arbitrary
+redirection on successful login, but instead limit redirection to
+local links or configured domains and schemes.
+
+This feature is controlled by a new global flag called *opac.login_redirect_domains*
+which must contain a comma-separated list of domains.  All hostnames
+under each domain is allowed for redirect, and the scheme of the
+redirect URL must be one of http, https, ftp, or ftps.
+