Gertjan Klein wrote: > >>http://example.com/app/_CSP.StreamServer.cls?FILE=/app/login.csp > I would have preferred it if %CSP.StreamServer had been an abstract > class and defined a callback function, called when a file is about to > be served, that returns whether or not this is OK. (The default for > the return value would, of course, be false.) To make a functioning > stream server, a custom class would need to be created that inherits > %CSP.StreamServer and overrides the callback function to return true.
I think you made a good case for this. The hole should be plugged, the sooner the less painful. The list of known security vulnerabilities needs to grow smaller not larger. Systems need to be secure by default. They need to remain secure against accidental changes. Turning on "serve pages" does not provide ample warning of the risk.
