On Jan 28, 2010, at 7:49 AM, Ian Boston wrote: > One of our QA people is reporting that Sling servlets support the TRACE > method, which can be used for XXS attacks.
No, it can't, or it least it doesn't make any difference whether TRACE is supported or not because the security leak is allowing javascript to send cookies and credentials with TRACE. The original report that TRACE was at fault is ridiculous, and just keeps getting repeated because "security" reports never die. The only reason to disable TRACE is to satisfy MIS managers who don't actually understand security but want to disable it anyway. ....Roy