Hi, One of our QA people is reporting that Sling servlets support the TRACE method, which can be used for XXS attacks. I had thought that this was a Jetty misconfiguration issues, but I notice that SlingSafeMethodsServlet explicitly supports doTrace.
Not knowing anything about this sort of attack... is TRACE a issue ? Should it be removed from the SlingSafeMethodsServlet or simply blocked in the Main Slign servlet ? I can probably customise the Jetty config to prevent it locally, but thought it might be an issue for Sling. Ian
