-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Mathew,
On 4/8/2011 12:19 PM, Mathew Samuel wrote: > That was a good test suggestion, to compare the page source between when > CSRF is on and off. What surprised me is that the page source between > the two is identical. > > But still with the CSRF filter on I see this: > > And with that filter off I see this: (By now, you've seen that the list strips attachments. Feel free to use somehting like psatebin or your own website to host images and just post links). > Essentially it was showing a screenshot when the filter was on and > there were no images, no theme, nothing. And then the following one > with it off which had everything in place. But HTML source is > identical. Why not just copy/paste the actual page source into a message to the list? That would do just fine. You already said that the page was broken... there's no need for a screenshot to "show" that. Are you saying that the CsrfPreventionFilter isn't modifying your static content URLs /at all/? If that's the case, then you aren't running those URLs through HttpServletResponse.encodeURL before they go into the page. I'm very surprised that the HTML source is identical with the filter on versus off: the purpose of the filter is to /modify the page source/. > If I was fronting with Apache httpd would there be something > specifically that I would have to do? Possibly. I haven't looked at the filter's source code closely enough to determine this, but I know that ";jsessionid" often trips-up httpd when loading static data so this could be a similar situation. > I believe there might be some > setups where this may be the case. Although my current setup doesn't > have it. Well, then that's not the problem, then. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk2fYKIACgkQ9CaO5/Lv0PDnKACeOXqDZnukTVyuyjj4JTB5CDXM L50AoLpvEimIgvFKAnYaXnvivcTNdwIz =vWHP -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org