[
https://issues.apache.org/jira/browse/SCB-1263?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16822292#comment-16822292
]
liubao commented on SCB-1263:
-----------------------------
Tracing is one of the possible scenarios, and you give an optional way to
implement this. I still think make it possible to let users to specify
cse-context header is important.
Specify cse-context is not the vulnerubility, but "the set must happen after
the override" is. This is very common in HTTP protocol, user's can set any
internal hidden headers, the application takes it's responsibility to protect
from override.
> forward request in edge should not inherit cse-context
> ------------------------------------------------------
>
> Key: SCB-1263
> URL: https://issues.apache.org/jira/browse/SCB-1263
> Project: Apache ServiceComb
> Issue Type: Task
> Components: Java-Chassis
> Reporter: wujimin
> Assignee: YaoHaishi
> Priority: Major
> Fix For: java-chassis-1.3.0
>
>
> to avoid attacker to falsify the credentials of other users
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
