On Jan 28, 2010, at 7:49 AM, Ian Boston wrote:

> One of our QA people is reporting that Sling servlets support the TRACE 
> method, which can be used for XXS attacks. 

No, it can't, or it least it doesn't make any difference whether
TRACE is supported or not because the security leak is allowing
javascript to send cookies and credentials with TRACE.  The original
report that TRACE was at fault is ridiculous, and just keeps getting
repeated because "security" reports never die.

The only reason to disable TRACE is to satisfy MIS managers who don't
actually understand security but want to disable it anyway.

....Roy

Reply via email to