I have read the discussion at http://groups.google.com/group/google-web-toolkit/web/security-for-gwt-applicationsand follow it completely. The general recommendation to prevent Cross Site Scripting is to duplicate the session id in the http request payload. Doing that takes some effort, and I don't want to do it unless absolutely neccessary..
When I went through the code for GWT's RemoteServiceServlet, I see that it checks for the presence of a HTTP header "X-GWT-Permutation", and fails the service if absent. I thought about it for some time, and came to the conclusion that the http header alone should be sufficient to prevent cross site scripting. The only way that header can be set is via a XmlHttpRequest. A request originating from a <script> , <iframe>, <img> <form> tags is not going to be able to set that header. And an XmlHttpRequest originating from a different domain is not going to work due to Same Origin Policy.. *Question* - Is this conclusion correct? Has anybody yet found a way to get around the http header and make a XSS attack to a GWT RPC Service? thanks! --Sri --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en -~----------~----~----~----~------~----~------~--~---
