Not necessarily a GWT question, but GWT certainly makes use of many widgets that contain data perhaps downloaded over SSL from a secure web site. The data is obviously in the clear inside the web browser, which is expected and fine.
But are there any security issues if someone frames your web site or otherwise gets the same web browser page to load javascript from another web site, can the other web site's javascript work through the DOM or the JS global pool to find all the data? Would it be bad practice for the GWT client to keep the userid and password used to authenticate so it can send them in every subsequent RPC, both to defeat session hijacking (rather than sending a server- side token that closely mirrors the session id) and as a way to allow the client to auto-login itself should the request come in when the server has already terminated its session (either because it expired or was restarted, etc.)? --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en -~----------~----~----~----~------~----~------~--~---
