In general you seem to be talking about attacks that would be handled by the browser's "Same Origin Policy". This does segregate js loaded from different places to prevent that sort of thing.
but if the uses shouldn't have the data, then you shouldn't have sent it in the first place. remember, the world beyond your server is hostile and never to be trusted. -jason On Oct 28, 2009, at 9:48 AM, Open eSignForms wrote: > > Not necessarily a GWT question, but GWT certainly makes use of many > widgets that contain data perhaps downloaded over SSL from a secure > web site. The data is obviously in the clear inside the web browser, > which is expected and fine. > > But are there any security issues if someone frames your web site or > otherwise gets the same web browser page to load javascript from > another web site, can the other web site's javascript work through the > DOM or the JS global pool to find all the data? > > Would it be bad practice for the GWT client to keep the userid and > password used to authenticate so it can send them in every subsequent > RPC, both to defeat session hijacking (rather than sending a server- > side token that closely mirrors the session id) and as a way to allow > the client to auto-login itself should the request come in when the > server has already terminated its session (either because it expired > or was restarted, etc.)? > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en -~----------~----~----~----~------~----~------~--~---
