On 01/08/2022 18:03, Christopher Schultz wrote: <snip/>
private volatile boolean cachedUseLegacyDoHead; + static { + SENSITIVE_HTTP_HEADERS.add("cookie"); + SENSITIVE_HTTP_HEADERS.add("www-authenticate");How about "Authorization"?
That makes more sense than WWW-Authenticate which is the challenge rather than the response. I'll get that fixed.
Is there a standard way for HTTP TRACE to reply to the client saying "oh and btw I removed the Cookie and Authentication headers you sent, so they aren't there but you did send them"?
Unfortunately not. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
