| P. Michael Virga 2004-01-19, 8:21 am |
| Hi. I am working at a business partner site where one of their products
being ported to WebSphere from WebLogic gets a 403 Access Forbidden
error message. This occurs when accessing a page via a URL in the
application where a script executes trying to delete a record from the
favorites file on the client machine. The application works fine in
WebLogic. I also understand the reason to stop this from happening due
to the security vulnerabilities if this functionality were to be
allowed. The question is, what are the alternatives available to the
customer/business partner short of disabling the security feature on the
HttpServer? Anyone have any ideas?
Also, what kind of requests get blocked by Apache for preventing Cross
Site Scripting(XSS)? If we know that we can try to construct the URL in
such a way that it doesn't violate XSS filters.
The Application always uses an <html></html> block in the URL for
handling the favorites. If Apache is to block this kind of request (for
XSS), then even add/modify of favorites shouldn't work. But in this
case, only the delete filter is not working.
|