Tuesday, June 24, 2014

Security for new GWT web application


The company where I work is starting a new family of web applications and have decided to use GWT on the client side.

In the matter of security I've conducted a review of GWT XSS/XSRF best practices and I'd like to confirm my assumptions.

For communication with our server we will be using JSON with REST and HTTP-Basic authentication to authenticate the user. All HTTP traffic takes place over SSL connection. It is my understanding that using HTTP-Basic which requires explicit username and password for each operation should protect us from XSRF attacks as the session is not maintained with cookies and the server side is entirely stateless. This is of course assuming some malicious code does not find its way inside our GWT application and steal the username and password from within there, which brings our attention to cross-site scripting attacks.

For the XSS four attack vectors mentioned in http://www.gwtproject.org/articles/security_for_gwt_applications.html I believe we are (mostly) safe if we
  • Don't use JavaScript on the host page
  • Don't use JavaScriptNativeInterface
  • Use innerHtml or setHtml only with SafeHtml or not at all
  • Access user created strings to and from widgets by getText/setText methods
For the JSON part we are shall be using RestyGWT. For the JSON related security issues mentioned in GWT documentation I shall ask in the Resty's mailing list. But I assume if Resty succesfully parses the JSON code I am safe to pass the strings to GWT widgets by setText without need of SafeHtml or anything else.

You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-web-toolkit+unsubscribe@googlegroups.com.
To post to this group, send email to google-web-toolkit@googlegroups.com.
Visit this group at http://groups.google.com/group/google-web-toolkit.
For more options, visit https://groups.google.com/d/optout.

No comments:

Post a Comment