> > But are there any security issues if someone frames your web site or > otherwise gets the same web browser page to load javascript from > another web site, can the other web site's javascript work through the > DOM or the JS global pool to find all the data? >
I think you are speaking about cross site scripting. This document http://groups.google.com/group/Google-Web-Toolkit/web/security-for-gwt-applicationsspeaks a lot about it. As per the document, if you don't use eval, setInnerHTML, or native javascript libraries, and use the standard RPC services - cross site scripting will be taken care of. --Sri 2009/10/28 Jason Essington <[email protected]> > > In general you seem to be talking about attacks that would be handled > by the browser's "Same Origin Policy". This does segregate js loaded > from different places to prevent that sort of thing. > > but if the uses shouldn't have the data, then you shouldn't have sent > it in the first place. remember, the world beyond your server is > hostile and never to be trusted. > > -jason > > On Oct 28, 2009, at 9:48 AM, Open eSignForms wrote: > > > > > Not necessarily a GWT question, but GWT certainly makes use of many > > widgets that contain data perhaps downloaded over SSL from a secure > > web site. The data is obviously in the clear inside the web browser, > > which is expected and fine. > > > > But are there any security issues if someone frames your web site or > > otherwise gets the same web browser page to load javascript from > > another web site, can the other web site's javascript work through the > > DOM or the JS global pool to find all the data? > > > > Would it be bad practice for the GWT client to keep the userid and > > password used to authenticate so it can send them in every subsequent > > RPC, both to defeat session hijacking (rather than sending a server- > > side token that closely mirrors the session id) and as a way to allow > > the client to auto-login itself should the request come in when the > > server has already terminated its session (either because it expired > > or was restarted, etc.)? > > > > > > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en -~----------~----~----~----~------~----~------~--~---
