in witch class you see this "When I went through the code for GWT's RemoteServiceServlet, I see that it checks for the presence of a HTTP header "X-GWT-Permutation", and fails the service if absent. " ?
On 16 set, 11:55, Sripathi Krishnan <[email protected]> wrote: > I have read the discussion > athttp://groups.google.com/group/google-web-toolkit/web/security-for-gw... > follow it completely. The general recommendation to prevent Cross Site > Scripting is to duplicate the session id in the http request payload. Doing > that takes some effort, and I don't want to do it unless absolutely > neccessary.. > > When I went through the code for GWT's RemoteServiceServlet, I see that it > checks for the presence of a HTTP header "X-GWT-Permutation", and fails the > service if absent. > > I thought about it for some time, and came to the conclusion that the http > header alone should be sufficient to prevent cross site scripting. > > The only way that header can be set is via a XmlHttpRequest. A request > originating from a <script> , <iframe>, <img> <form> tags is not going to be > able to set that header. And an XmlHttpRequest originating from a different > domain is not going to work due to Same Origin Policy.. > > *Question* - Is this conclusion correct? Has anybody yet found a way to get > around the http header and make a XSS attack to a GWT RPC Service? > > thanks! > --Sri --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en -~----------~----~----~----~------~----~------~--~---
