geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rex Wang <rwo...@gmail.com>
Subject Re: Session creation triggered by XSS/XSRF filter
Date Tue, 30 Jun 2009 16:22:44 GMT
IMO, I don't think the welcome page need this filter. The filter only deal
with the links that have the request parameters and the form request, but in
the welcome page, there is no such links, so the filter won't take any
effects.

The reason why add the filtering to welcome project, as the G-4597
indicated, seems just want to comply with some sort of security standards..
so add this filter to all of our web projects(welcome, console....), just my
guess..

-Rex
2009/7/1 Joe Bohn <joe.bohn@earthlink.net>

>  Kevan Miller wrote:
>
>>
>> On Jun 30, 2009, at 10:26 AM, Joe Bohn wrote:
>>
>> I tried some random URIs and always received a 404 back in my tests.
>>>
>>> This could be a problem with the filter on the welcome application.  It
>>> currently has a context-root of "/" and the filter is registered with a URL
>>> pattern of "/*".
>>>
>>
>> OK, that would explain it... So, is there any reason to run XSS filtering
>> on the welcome app?
>>
>
> I'm not sure if there is a strong reason to have the filter applied to the
> welcome application.  I have this vague recollection of somebody raising an
> issue earlier ... but I can't find any reference and after a quick glance I
> don't see any obvious exposures.
>
> It primarily includes links into our wiki documentation along with a few
> other links (such as to the console and to subscribe to the mailing lists).
> Perhaps the mail subscription links might present an exposure?
> Or perhaps on the IRC link?
>
> Does anybody have an idea if this is really necessary?  It seems like
> overkill to me.
>
> Joe
>
>

Mime
View raw message