> Sorry, again, looking at your above example, to make my point
> clear, using Firebug I can find (!user.isAuthenticated()) and any
> a JS debugger to subvert it. GWT obfuscates JS code, but
> anyone with 1) curiosity and a brain, 2) ulterior motives , this
> is a cakewalk.
>
> Think about it.
>
> and
>
> NEVER TRUST THE CLIENT. Always verify every action for permission
> on the server side.
Very true and I thought about that. My reasoning is that without a
user token there will be no "interesting" data available (it's still
on the server) so there is no leak. And anyone can sign up for an
account so if a bad guy just wants to have a look at the JS code then
they can get it. Do you think there is a flaw in my logic?
--
You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group.
To post to this group, send email to google-web-toolkit@googlegroups.com.
To unsubscribe from this group, send email to google-web-toolkit+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.
No comments:
Post a Comment