Hello,
The company where I work is starting a new family of web applications and have decided to use GWT on the client side.
In the matter of security I've conducted a review of GWT XSS/XSRF best practices and I'd like to confirm my assumptions.
For communication with our server we will be using JSON with REST and HTTP-Basic authentication to authenticate the user. All HTTP traffic takes place over SSL connection. It is my understanding that using HTTP-Basic which requires explicit username and password for each operation should protect us from XSRF attacks as the session is not maintained with cookies and the server side is entirely stateless. This is of course assuming some malicious code does not find its way inside our GWT application and steal the username and password from within there, which brings our attention to cross-site scripting attacks.
For the XSS four attack vectors mentioned in http://www.gwtproject.org/articles/security_for_gwt_applications.html I believe we are (mostly) safe if we
-- The company where I work is starting a new family of web applications and have decided to use GWT on the client side.
In the matter of security I've conducted a review of GWT XSS/XSRF best practices and I'd like to confirm my assumptions.
For communication with our server we will be using JSON with REST and HTTP-Basic authentication to authenticate the user. All HTTP traffic takes place over SSL connection. It is my understanding that using HTTP-Basic which requires explicit username and password for each operation should protect us from XSRF attacks as the session is not maintained with cookies and the server side is entirely stateless. This is of course assuming some malicious code does not find its way inside our GWT application and steal the username and password from within there, which brings our attention to cross-site scripting attacks.
For the XSS four attack vectors mentioned in http://www.gwtproject.org/articles/security_for_gwt_applications.html I believe we are (mostly) safe if we
- Don't use JavaScript on the host page
- Don't use JavaScriptNativeInterface
- Use innerHtml or setHtml only with SafeHtml or not at all
- Access user created strings to and from widgets by getText/setText methods
You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-web-toolkit+unsubscribe@googlegroups.com.
To post to this group, send email to google-web-toolkit@googlegroups.com.
Visit this group at http://groups.google.com/group/google-web-toolkit.
For more options, visit https://groups.google.com/d/optout.
No comments:
Post a Comment