tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: CSRF and nonce Config ???
Date Thu, 07 Feb 2013 15:13:57 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Konstantin,

On 2/7/13 5:19 AM, Konstantin Kolinko wrote:
> Any other web application that wants to use this feature has to 
> configure this filter explicitly and must pass all important URLs 
> through HttpServletResponse.encodeURL().

Web applications should always pass URLs through
HttpServletResponse.encodeURL (or
HttpServletResponse.encodeRedirectURL), whether they are important or
not ;)

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEAREIAAYFAlETxLUACgkQ9CaO5/Lv0PBFEwCgtojPQrWpGVKV31/FoFTvi8ED
YV0AoInnwL6wRvtoY4Q3cJyR7ndbxMoF
=u1Rq
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message