Some questions regarding the HttpModule

May 25, 2009 at 12:39 PM

I have a question regarding the Http runtime module.  At first I was perplexed as to why the Anti-Xss would not intercept requests and encode the output. Upon investigation I found that if anything is in put into Application, then the module is not loaded.

Looking at the code for the runtime, I found that unless the application has no items, the code to initialize the module is not executed.

	if (context.Application != null && (context.Application.Count <= 0 && context.Application["AntiXssModuleConfig"] == null))

Is there any reason for this? We use the Application to keep an active session count. My assumption would be that you're alleviating the possibility of attack from application variables? For now we have commented out this code in order to get everything running (and it works great) but would like to know the reasoning behind this.



May 29, 2009 at 4:52 PM

I would run more tests by removing and see what is the side effect, at this point I dont see any immediate issues, will keep you posted.