Return-Path: Delivered-To: apmail-geronimo-dev-archive@www.apache.org Received: (qmail 67994 invoked from network); 30 Jun 2009 16:03:13 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 30 Jun 2009 16:03:13 -0000 Received: (qmail 79278 invoked by uid 500); 30 Jun 2009 16:03:23 -0000 Delivered-To: apmail-geronimo-dev-archive@geronimo.apache.org Received: (qmail 79195 invoked by uid 500); 30 Jun 2009 16:03:23 -0000 Mailing-List: contact dev-help@geronimo.apache.org; run by ezmlm Precedence: bulk list-help: list-unsubscribe: List-Post: Reply-To: dev@geronimo.apache.org List-Id: Delivered-To: mailing list dev@geronimo.apache.org Received: (qmail 79187 invoked by uid 99); 30 Jun 2009 16:03:23 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 30 Jun 2009 16:03:23 +0000 X-ASF-Spam-Status: No, hits=-0.0 required=10.0 tests=SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: local policy) Received: from [209.86.89.70] (HELO elasmtp-banded.atl.sa.earthlink.net) (209.86.89.70) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 30 Jun 2009 16:03:13 +0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=dk20050327; d=earthlink.net; b=V+qTOwqbvHwZNTZk1SQjZkq2xuinu8hAHvvHoTtNfByWbSAZ7makpufWIjiC4Rw9; h=Received:Message-ID:Date:From:User-Agent:MIME-Version:To:Subject:References:In-Reply-To:Content-Type:Content-Transfer-Encoding:X-ELNK-Trace:X-Originating-IP; Received: from [129.33.49.251] (helo=dyn9-37-240-156.raleigh.ibm.com) by elasmtp-banded.atl.sa.earthlink.net with esmtpa (Exim 4.67) (envelope-from ) id 1MLfnH-0003bR-RH for dev@geronimo.apache.org; Tue, 30 Jun 2009 12:02:51 -0400 Message-ID: <4A4A372B.6000707@earthlink.net> Date: Tue, 30 Jun 2009 12:02:51 -0400 From: Joe Bohn User-Agent: Thunderbird 2.0.0.22 (Macintosh/20090605) MIME-Version: 1.0 To: dev@geronimo.apache.org Subject: Re: Session creation triggered by XSS/XSRF filter References: <19C49411-7FD5-4D95-BCA9-20369A4AAAD7@gmail.com> <4A4A1CB6.2030503@apache.org> <4A4A2097.3080809@earthlink.net> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-ELNK-Trace: c408501814fc19611aa676d7e74259b7b3291a7d08dfec79a886c3db1dc31b422f0142ae95bca517350badd9bab72f9c350badd9bab72f9c350badd9bab72f9c X-Originating-IP: 129.33.49.251 X-Virus-Checked: Checked by ClamAV on apache.org Kevan Miller wrote: > > On Jun 30, 2009, at 10:26 AM, Joe Bohn wrote: > >> I tried some random URIs and always received a 404 back in my tests. >> >> This could be a problem with the filter on the welcome application. >> It currently has a context-root of "/" and the filter is registered >> with a URL pattern of "/*". > > OK, that would explain it... So, is there any reason to run XSS > filtering on the welcome app? I'm not sure if there is a strong reason to have the filter applied to the welcome application. I have this vague recollection of somebody raising an issue earlier ... but I can't find any reference and after a quick glance I don't see any obvious exposures. It primarily includes links into our wiki documentation along with a few other links (such as to the console and to subscribe to the mailing lists). Perhaps the mail subscription links might present an exposure? Or perhaps on the IRC link? Does anybody have an idea if this is really necessary? It seems like overkill to me. Joe