[ https://issues.apache.org/jira/browse/SCB-1263?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16822292#comment-16822292 ]
liubao commented on SCB-1263: ----------------------------- Tracing is one of the possible scenarios, and you give an optional way to implement this. I still think make it possible to let users to specify cse-context header is important. Specify cse-context is not the vulnerubility, but "the set must happen after the override" is. This is very common in HTTP protocol, user's can set any internal hidden headers, the application takes it's responsibility to protect from override. > forward request in edge should not inherit cse-context > ------------------------------------------------------ > > Key: SCB-1263 > URL: https://issues.apache.org/jira/browse/SCB-1263 > Project: Apache ServiceComb > Issue Type: Task > Components: Java-Chassis > Reporter: wujimin > Assignee: YaoHaishi > Priority: Major > Fix For: java-chassis-1.3.0 > > > to avoid attacker to falsify the credentials of other users -- This message was sent by Atlassian JIRA (v7.6.3#76005)