The goal of the XSRF protection implementation in 2.3 was most likely
to generate transaction tokens, that is, a unique shared secret for
each individual transaction. What I'm questioning is whether a
transparent and "always active" protection would increase security of
actual deployed GWT applications. I understand that there are
additional risks with a session-scoped XSRF token but I think it would
already be much better than the current situation.
The XSRF protection document mentions that it is a stateless solution.
On a stateless server HTTP sessions would be disabled though. Instead
of subclassing and replacing the session-specific code, a really
stateless variant should be provided. You could instead use an HMAC of
the "action signature". This has been implemented for JSF here:
https://issues.jboss.org/browse/JBSEAM-4007
--
You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group.
To post to this group, send email to google-web-toolkit@googlegroups.com.
To unsubscribe from this group, send email to google-web-toolkit+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.
No comments:
Post a Comment