On Jan 22, 7:42 pm, adambossy <[email protected]> wrote: > Thanks for the great reply. I'll modify my generators to output this > code. Are there any resources you suggest to get started on properly > protecting against a XSRF attack? > > Adam > > On Jan 22, 10:16 am, Shawn Pearce <[email protected]> wrote: > > > On Wed, Jan 21, 2009 at 23:47, adambossy <[email protected]> wrote: > > > > What is the big advantage of using GWT RPC over Request Builder > > > [http://code.google.com/docreader/#p=google-web-toolkit- > > > doc-1-5&s=google-web-toolkit-doc-1-5&t=GettingStartedJSON<http://code.google.com/docreader/#p=google-web-toolkit-doc-1-5&s=goog...>] > > > or simply > > > JSON via HTTP [http://code.google.com/docreader/#p=google-web-toolkit- > > > doc-1-5&s=google-web-toolkit-doc-1-5&t=GettingStartedJSON<http://code.google.com/docreader/#p=google-web-toolkit-doc-1-5&s=goog...>]? > > > I'm > > > generating all the code anyways, so why not generating something > > > simpler than RPC? > > > None, really. JSON over HTTP is probably your best bet here. There's > > already magic JSON libraries for Python object graphs. And if you can > > generate the JavaScriptOverlay objects for use in Java, then you have pretty > > much what you need.
I've started working on gwt+webpy, which is close to what you need. As a hint, the fastest python package for JSON encode/decode I've found is python-cjson. > > > GWT RPC has some protections against XSRF type attacks, like prefixing the > > response with "//" so browsers won't execute it if obtained via a <script> > > inclusion tag. It also uses HTTP POST by default to reduce the chances a > > <script> tag can invoke the RPC, and it embeds an extra HTTP header that > > makes it harder for <script> tags to initiate a call that might modify data > > on the server. But its still not prefect as GWT RPCs can still be spoofed > > via standard AJAX calls. You'll want to do some research on current XSRF > > protection techniques and implement them in your application. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/Google-Web-Toolkit?hl=en -~----------~----~----~----~------~----~------~--~---
