10.14 Do not allow cross context requests

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version


Setting crossContext to true allows for an application to call ServletConext.getContext to return a dispatcher for another application.


Allowing crossContext creates the possibility for a malicious application to make requests to a restricted application.


Set the crossContext attribute in all context.xml files to false:

<Context ... crossContext='false' />

Default Value:

By default crossContext has a value of false.

See Also