Friday, July 26, 2013

Re: How to prevent CSRF/XSRF when using RequestFactory

I was confused by the fact, that the post was written later than a solution was suggested here, but X-GWT-Permutation was not mentioned there. Anyway, thanks Thomas.

On Friday, July 26, 2013 5:05:25 PM UTC+4, Thomas Broyer wrote:


On Friday, July 26, 2013 11:53:18 AM UTC+2, Sergei Kirsanov wrote:
What's the current state of Request Factory and CSRF/XSRF for 2.5.1 version?

Nothing's changed.
 
This post confuses me: http://stackoverflow.com/questions/6227436/preventing-csrf-when-using-gwts-requestfactory

What confuses you?

BTW, wrt what's written above about the presence of custom headers being enough (which I'm not sure about, but I'm not a security expert), the DefaultRequestTransport includes two such headersalready, so it's mostly a matter of checking their presence on the server-side:

--
You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-web-toolkit+unsubscribe@googlegroups.com.
To post to this group, send email to google-web-toolkit@googlegroups.com.
Visit this group at http://groups.google.com/group/google-web-toolkit.
For more options, visit https://groups.google.com/groups/opt_out.
 
 

No comments:

Post a Comment