[jboss-jira] [JBoss JIRA] Updated: (JBWEB-141) Servlet Filter against XSS and CSRF

[Remy Maucherat (JIRA)]

     [ https://jira.jboss.org/jira/browse/JBWEB-141?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Remy Maucherat updated JBWEB-141:
---------------------------------

    Security: Public  (was: JBoss Internal)
    Priority: Minor  (was: Major)


> Servlet Filter against XSS and CSRF
> -----------------------------------
>
>                 Key: JBWEB-141
>                 URL: https://jira.jboss.org/jira/browse/JBWEB-141
>             Project: JBoss Web
>          Issue Type: Feature Request
>      Security Level: Public(Everyone can see) 
>            Reporter: Marc Schoenefeld
>            Assignee: Remy Maucherat
>            Priority: Minor
>
> Cross-Site scripting and cross-site request forgery attacks are common threat to every web application. 
> So a common solution offered by the http server is helpful to raise the default protection level. 
> A servlet filter will help to  
> a) allow/block requests for a set of XSS regex patterns (per default blacklist suspicious parameter patterns, and optionally whitelist valid requests for well-known applications)  
> b) allow/block requests that fulfil the criteria for being a forged request (failing nonce compare), this will need a javascript helper on the client side, to transparently protect existing applications to provide the shared secret in the session . 

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira