Looking at the code, this probably affects the `ResourceHandler` class, but I'm not using it at the moment to test.

If you have a deployment which has disabled directory listing, you can still get Undertow to serve up the CSS and JS blobs if you hit a real folder with ?css or ?js in the query string.  This is because both the `DefaultServlet` and `ResourceHandler` serve up the CSS and JS blobs before every checking if directory listing is enabled.  

While the contents of the CSS/JS files aren't sensitive, this can be used as an information disclosure to detect whether a server is running Undertow by guessing a well-known directory name.  

Here are real examples from one of my production servers which is "locked down" and has directory listing disabled.  I would not expect these to return the CSS and JS content.

https://www.ortussolutions.com/config/?css

https://www.ortussolutions.com/config/?js