On Thu, Jan 28, 2010 at 16:49, Ian Boston <i...@tfd.co.uk> wrote: > One of our QA people is reporting that Sling servlets support the TRACE > method, which can be used for XXS attacks. > I had thought that this was a Jetty misconfiguration issues, but I notice > that SlingSafeMethodsServlet explicitly supports doTrace.
Interesting, I didn't know of either TRACE nor that attack ;-). But a quick Google found this plain description: http://www.kb.cert.org/vuls/id/867593 I think, just to be in line with Apache httpd, we should offer a simple config option for support of TRACE, being disabled by default. Regards, Alex -- Alexander Klimetschek alexander.klimetsc...@day.com
