Security Switch enables various ASP.NET applications to automatically switch requests for pages/resources between the HTTP and HTTPS protocols without the need to write absolute URLs in HTML markup.
I use securityswitch in my mvc project,and the secure url with xss will be
excute,but no the un-unsecure,for example:
the config:
<add path="~/controler/action1" security="Insecure" />
<add path="~/controler/action2/" security="Secure" matchType="StartsWith" />
and i visit the website with the follow:
http://localhost:8086/controler/action1/'==alert%28389%29=='
http://localhost:8086/controler/action2/'=alert%28389%29=='
the second url will execute the js in the browser;but the first one will not;
but if i change the second url as follow:
https://localhost:8083/controler/action2/'=alert%28389%29==', the js also will
not be execute.
so I doubt the process that http switch to https decoding the url correctly?
Original issue reported on code.google.com by moxia...@gmail.com on 12 May 2015 at 2:45
Original issue reported on code.google.com by
moxia...@gmail.comon 12 May 2015 at 2:45