I have a question regarding the Http runtime module. At first I was perplexed as to why the Anti-Xss would not intercept requests and encode the output. Upon investigation I found that if anything is in put into Application, then the module is not
Looking at the code for the runtime, I found that unless the application has no items, the code to initialize the module is not executed.
if (context.Application != null && (context.Application.Count <= 0 && context.Application["AntiXssModuleConfig"] == null))
Is there any reason for this? We use the asp.net Application to keep an active session count. My assumption would be that you're alleviating the possibility of attack from application variables? For now we have commented out this code in order
to get everything running (and it works great) but would like to know the reasoning behind this.