yes, especially when using SSL it should be very secure > We do too, but as Ian also said, it only remembers the values to fill > the fields with. I'm pretty sure your idea about using hidden fields > won't work: I doubt browsers would fill them and I think browsers > differ in when they fill the fields (Chrome seems to be waiting onload > to *look* into the password manager, so it fills the fields *after* > onload) hmm, I don't know for all browsers, but it definitely works in FF I am using a static username and password field in my main html page and in onModuleLoad() I can easily read the contents of those fields currently I am only using this as default-values for our login form but it would be no problem to auto-login the users
On Jun 18, 11:40 pm, Thomas Broyer <[email protected]> wrote: > On 18 juin, 18:02, mars1412 <[email protected]> wrote: > > > Isn't that insecure regarding > > CSFR?http://www.openajax.org/whitepapers/Ajax%20and%20Mashup%20Security.ph... > > I must admit that I am a noob regarding security of Web-Apps, so > > please anyone correct me, if I misunderstood. > > As Ian said, it's only insecure if you use that same cookie to > authenticate requests to your server (which we do not do: we're > passing the ticket within an Authorization header with a specially > crafted authenticate scheme: "Authorization: UbicAuth <ticket>"; in > other words, we're using and extending HTTP authentication > mechanisms). > It doesn't work for file uploads though, as they have to use a > FormPanel (I'm thinking about using some Flash, as I doubt Gears or > BrowserPlus would meet our client's requirements...). In that case, > we're passing the ticket in the URL; and because we're using SSL/TLS, > we're safe (not to mention that the app is in a WAN, inaccessible from > the Internet). > > I'm not a security expert but I think we're pretty secure, probably > more than other web apps already deployed at that same client (not to > mention apps that were deployed before CSRF was really identified and > haven't been updated since then). > > > Another question is: why don't you try to use the passwordmanager of > > the browsers? > > We do too, but as Ian also said, it only remembers the values to fill > the fields with. I'm pretty sure your idea about using hidden fields > won't work: I doubt browsers would fill them and I think browsers > differ in when they fill the fields (Chrome seems to be waiting onload > to *look* into the password manager, so it fills the fields *after* > onload) --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/Google-Web-Toolkit?hl=en -~----------~----~----~----~------~----~------~--~---
