Google Web Toolkit: Re: How to prevent CSRF/XSRF when using RequestFactory

Friday, July 26, 2013

Re: How to prevent CSRF/XSRF when using RequestFactory

On Friday, July 26, 2013 11:53:18 AM UTC+2, Sergei Kirsanov wrote:

What's the current state of Request Factory and CSRF/XSRF for 2.5.1 version?

Nothing's changed.

This post confuses me: http://stackoverflow.com/questions/6227436/preventing-csrf-when-using-gwts-requestfactory

What confuses you?

BTW, wrt what's written above about the presence of custom headers being enough (which I'm not sure about, but I'm not a security expert), the DefaultRequestTransport includes two such headersalready, so it's mostly a matter of checking their presence on the server-side:

https://gwt.googlesource.com/gwt/+/2.5.1/user/src/com/google/web/bindery/requestfactory/gwt/client/DefaultRequestTransport.java

--
You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-web-toolkit+unsubscribe@googlegroups.com.
To post to this group, send email to google-web-toolkit@googlegroups.com.
Visit this group at http://groups.google.com/group/google-web-toolkit.
For more options, visit https://groups.google.com/groups/opt_out.

Google Web Toolkit

Friday, July 26, 2013

Re: How to prevent CSRF/XSRF when using RequestFactory

No comments:

Post a Comment