According to a response from Daycare, these log messages can be ignored. However, we believe that certain requests (http://localhost:4502/bin/security/authorizables.json ) generate many such messages. Therefore it is possible slow down or even crash AEM under heavy load of authorizables.json for example. Daycare suggested it is to be fixed in AEM 6.4. in the meantime turning off logging on com.adobe.granite.xss.impl.XSSFilterImpl was the only short term option,