RequestFactory (and GWT RPC as well) automatically adds a custom http header ("X-GWT-Permutation") to each request. See DefaultRequestTransport.java. In modern browsers, it is impossible to add such a request header in a cross-site manner. Because of this feature, most developers don't need to worry about CSRF - GWT automatically protects them.
However, old versions of flash allow an attacker to set custom http headers, thus bypassing default CSRF protection. If your website has users that use outdated versions of flash, those specific users only would be vulnerable to CSRF.
If you think this is sufficient risk, you will have to continue sending the sessionid in the request and verifying it on the server. To do so, you can extend DefaultRequestTransport as mentioned by Thomas, and add the user specific session id as a request header. Then, on the server side, match the ids in the session object and the request header. If they are not equal, abort the request.
--Sri
On 1 December 2010 10:26, David Chandler <drfibonacci@google.com> wrote:
Hi Daniel,
I haven't tested it yet, but I believe you can extend
DefaultRequestTransport as discussed in this thread to set a request
header containing your session ID or other XSRF token:
http://groups.google.com/group/google-web-toolkit/browse_thread/thread/e835c3153bc62f4c/751df0dc6aa7eb40?lnk=gst&q=entitymanagerfactory#751df0dc6aa7eb40
HTH,
/dmc
--
On Tue, Nov 30, 2010 at 10:38 PM, Daniel Cowx <daniel.cowx@gmail.com> wrote:
> Hi guys,
>
> I've been using GWT-RPC up until this point, but would like to make
> the switch to RequestFactory shortly. I'm a bit confused as to how to
> prevent CSRF/XSRF with RequestFactory though.
>
> As per http://code.google.com/p/google-web-toolkit-incubator/wiki/LoginSecurityFAQ,
> up to this point I've been sending the session ID within the *payload*
> of each RPC. Works great. Should I be doing something similar with
> RequestFactory? Any and all suggestions greatly welcome!
>
> Thanks,
> Daniel
>
> --
> You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group.
> To post to this group, send email to google-web-toolkit@googlegroups.com.
> To unsubscribe from this group, send email to google-web-toolkit+unsubscribe@googlegroups.com.
> For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.
>
>
David Chandler
Developer Programs Engineer, Google Web Toolkit
http://googlewebtoolkit.blogspot.com/
--
You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group.
To post to this group, send email to google-web-toolkit@googlegroups.com.
To unsubscribe from this group, send email to google-web-toolkit+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.
You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group.
To post to this group, send email to google-web-toolkit@googlegroups.com.
To unsubscribe from this group, send email to google-web-toolkit+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.
No comments:
Post a Comment