Thanks for the great reply. I'll modify my generators to output this code. Are there any resources you suggest to get started on properly protecting against a XSRF attack?
Adam On Jan 22, 10:16 am, Shawn Pearce <[email protected]> wrote: > On Wed, Jan 21, 2009 at 23:47, adambossy <[email protected]> wrote: > > > What is the big advantage of using GWT RPC over Request Builder > > [http://code.google.com/docreader/#p=google-web-toolkit- > > doc-1-5&s=google-web-toolkit-doc-1-5&t=GettingStartedJSON<http://code.google.com/docreader/#p=google-web-toolkit-doc-1-5&s=goog...>] > > or simply > > JSON via HTTP [http://code.google.com/docreader/#p=google-web-toolkit- > > doc-1-5&s=google-web-toolkit-doc-1-5&t=GettingStartedJSON<http://code.google.com/docreader/#p=google-web-toolkit-doc-1-5&s=goog...>]? > > I'm > > generating all the code anyways, so why not generating something > > simpler than RPC? > > None, really. JSON over HTTP is probably your best bet here. There's > already magic JSON libraries for Python object graphs. And if you can > generate the JavaScriptOverlay objects for use in Java, then you have pretty > much what you need. > > GWT RPC has some protections against XSRF type attacks, like prefixing the > response with "//" so browsers won't execute it if obtained via a <script> > inclusion tag. It also uses HTTP POST by default to reduce the chances a > <script> tag can invoke the RPC, and it embeds an extra HTTP header that > makes it harder for <script> tags to initiate a call that might modify data > on the server. But its still not prefect as GWT RPCs can still be spoofed > via standard AJAX calls. You'll want to do some research on current XSRF > protection techniques and implement them in your application. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/Google-Web-Toolkit?hl=en -~----------~----~----~----~------~----~------~--~---
