E1: JAS: Browser Cross-Site Scripting Filter Vulnerability
(Doc ID 2710426.1)
Last updated on SEPTEMBER 14, 2020
Applies to:JD Edwards EnterpriseOne Tools - Version 9.2 and later
Information in this document applies to any platform.
Currently seeing this behavior when using E1 via web browser:
No X-XSS-Protection header was set in the response. This means that the browser uses default behavior that detection of a cross-site scripting attack never prevents rendering.
It is considered as better practice to instruct the browser XSS filter to never render the web page if an XSS attack is detected.
The following header should be set:
X-XSS-Protection: 1; mode=block
To view full details, sign in with your My Oracle Support account.
Don't have a My Oracle Support account? Click to get started!
In this Document