Skype for Business and Insecure ClientAccessPolicy.XML RRS feed

  • Question

  • Has anybody tried to modify the "Clientaccesspolicy.aspx" under Web Components\Join Launcher?

    I hit to this question when pen testers are validating the Skype platform. The problem they are saying is the AutoDiscover section:

          <allow-from http-request-headers="*">
            <domain uri="*" />
            <resource path="/autodiscover/autodiscoverservice.svc" include-subpaths="true" />

    as there are no restrictions like on the previous section have. My idea was take a copy from previous section and past these lines to the AutoDiscover:

          <allow-from http-request-headers="*">       
            <domain uri="<% =InternalWebUrl %>" />       
            <domain uri="<% =ExternalWebUrl %>" />               


    Tuesday, November 14, 2017 12:25 AM