> but its impossible to hijack the session itself.
Why is this important when you have a whole in your site due to XSS, as you assume above?
If some script get full access to your site through XSS, it can set any header it wants such that your backend can't see the diference between a legal or illegal call.
What do I miss here ?
--
You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-web-toolkit+unsubscribe@googlegroups.com.
To post to this group, send email to google-web-toolkit@googlegroups.com.
Visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.
No comments:
Post a Comment