geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Forrest Xia (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (GERONIMO-6348) XSSXSRFFilter blocked HttpServletRequest due to invalid FORM content
Date Fri, 18 May 2012 09:36:11 GMT

    [ https://issues.apache.org/jira/browse/GERONIMO-6348?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13278665#comment-13278665
] 

Forrest Xia commented on GERONIMO-6348:
---------------------------------------

r1340038 might introduce some security issue here, revert it and will continue investigating
this issue.

However, when user saw the filter error, if refreshing the same window, the welcome page will
show.
                
> XSSXSRFFilter blocked HttpServletRequest due to invalid FORM content
> --------------------------------------------------------------------
>
>                 Key: GERONIMO-6348
>                 URL: https://issues.apache.org/jira/browse/GERONIMO-6348
>             Project: Geronimo
>          Issue Type: Bug
>      Security Level: public(Regular issues) 
>          Components: console
>    Affects Versions: 3.0-beta-1
>         Environment: Windows, IE8 with compatibility mode on or Eclipse internal web
browser.
>            Reporter: Jarek Gawor
>
> When using the admin console on Windows with IE8 with compatibility mode on the following
messages are generated on each click:
> 2012-05-10 01:57:10,307 WARN  [XSRFHandler] Blocked due to missing HttpServletRequest
parameter.
> 2012-05-10 01:57:10,307 ERROR [XSSXSRFFilter] XSSXSRFFilter blocked HttpServletRequest
due to invalid FORM content.
> These messages are generated each time a request is made to access /console/dojo/dojo/resources/blank.html.
It looks like Dojo has a special case for IE which generates this extra request not seen on
other browsers.
> The problem is also visible using the Eclipse's internal web browser which automatically
gets configured with IE compatibility mode.
> These errors look harmless but can be very confusing and annoying to users so I think
we need to find some way to avoid them.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

Mime
View raw message