Sorry for the late reply, Christmas and all.
This class should do it, register it in web.config under configuration/system.webServer/modules. Most if the code is null-checks to make sure the request doesn't break if any unexpected should happen.
The main pointers are
This class should do it, register it in web.config under configuration/system.webServer/modules. Most if the code is null-checks to make sure the request doesn't break if any unexpected should happen.
The main pointers are
- Check if a request maps to a Webforms page - all C1 pages are handled by a webforms handler
- PageRenderer.CurrentPage is set in the PreInit event of the handler, so hook our code up to that
- If the request maps to a C1 page, check if the root-node of that page, matches the root-page of the hostname of the url.
-
If not, we're requesting a page from a different site and should return 404.
public class NoCrossSiteRedirectHttpModule : IHttpModule
{
public void Dispose() { }
public void Init(HttpApplication app)
{
app.PostMapRequestHandler += app_PostMapRequestHandler;
}
private static void app_PostMapRequestHandler(object sender, EventArgs e)
{
var ctx = ((HttpApplication)sender).Context;
if (ctx.Request.Url.LocalPath.StartsWith(UrlUtils.AdminRootPath))
{
return;
}
var handler = ctx.CurrentHandler as Page;
if (handler == null)
{
return;
}
handler.PreInit += handler_PreInit;
}
private static void handler_PreInit(object sender, EventArgs e)
{
var page = (Page)sender;
var c1Page = PageRenderer.CurrentPage;
if (c1Page == null)
{
return;
}
var request = page.Request;
var pageData = PageUrls.ParseUrl(request.Url.Scheme + "://" + request.Url.Host);
if (pageData == null)
{
return;
}
var resolvedRootId = SitemapNavigator.CurrentHomePageId;
var siteRootId = pageData.PageId;
if (siteRootId == resolvedRootId)
{
return;
}
var response = page.Response;
response.Clear();
response.StatusCode = (int)HttpStatusCode.NotFound;
response.End();
}
}