[jira] [Commented] (GERONIMO-6348) XSSXSRFFilter blocked HttpServletRequest due to invalid FORM content

Tue, 22 May 2012 11:19:43 -0700 

    [ 
https://issues.apache.org/jira/browse/GERONIMO-6348?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13281128#comment-13281128
 ] 

Jarek Gawor commented on GERONIMO-6348:
---------------------------------------

For future reference, here's what I've noticed the second scenario. When step 
#5 is performed, on Firefox, the request is redirected to the login screen and 
after logging-in, the displayPortlets() function in navigation.js is executed 
which passes in the new formId to the iframe page. 
On IE, the displayPortlets() function in navigation.js is executed first which 
sets the old formId to the iframe page which then is redirected to login 
screen. And once logged in the request is forwarded to the page with the old 
formId.

                
> XSSXSRFFilter blocked HttpServletRequest due to invalid FORM content
> --------------------------------------------------------------------
>
>                 Key: GERONIMO-6348
>                 URL: https://issues.apache.org/jira/browse/GERONIMO-6348
>             Project: Geronimo
>          Issue Type: Bug
>      Security Level: public(Regular issues) 
>          Components: console
>    Affects Versions: 3.0-beta-1
>         Environment: Windows, IE8 with compatibility mode on or Eclipse 
> internal web browser.
>            Reporter: Jarek Gawor
>
> When using the admin console on Windows with IE8 with compatibility mode on 
> the following messages are generated on each click:
> 2012-05-10 01:57:10,307 WARN  [XSRFHandler] Blocked due to missing 
> HttpServletRequest parameter.
> 2012-05-10 01:57:10,307 ERROR [XSSXSRFFilter] XSSXSRFFilter blocked 
> HttpServletRequest due to invalid FORM content.
> These messages are generated each time a request is made to access 
> /console/dojo/dojo/resources/blank.html. It looks like Dojo has a special 
> case for IE which generates this extra request not seen on other browsers.
> The problem is also visible using the Eclipse's internal web browser which 
> automatically gets configured with IE compatibility mode.
> These errors look harmless but can be very confusing and annoying to users so 
> I think we need to find some way to avoid them.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: 
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to