I wouldn't think so, Brett. All of those tabs should be sandboxed. JavaScript from one tab can't access JavaScript from other tabs.
If you mean an outside script or something like an add-on, they're all equally vulnerable. See the Firefox extensions Live HTTP headers, Modify Headers, and Tamper Data, which all let you intercept requests from the browser before SSL kicks in. Any program that can run in the browser and intercept the request before SSL encryption means that any request, AJAX or not, can be intercepted in the same way. There's really nothing you can do for that situation except include some sort of hash to see if the request was tampered with, but that still won't prevent that information being able to be read before the browser encrypts it. On Oct 13, 9:50 am, Brett Thomas <[email protected]> wrote: > I don't think that'll do much. Per Stefan's Rule 1, anything the client > stores can be read. If GWT encrypted stuff on the client, a hacker could > find out how to envoke the de-enfrypt() method pretty quickly. > > Related security question: since all apps that use GWT-RPC store data in the > same way, does that make GWT apps even less safe than plain old ajax apps? > Suppose a user is running 5 GWT-written apps simultaneously. Seems that one > script could swipe user data from all the browser tabs at once, if it knows > where to look for GWT-serialized objects. Think that's a valid concern? > > On Wed, Oct 13, 2010 at 10:29 AM, JuDaC <[email protected]> wrote: > > > Do you mean you want GWT to encrypt the object that is stored in > > memory, before it's sent over RPC? > > - yes, before sending the object or parameters over RPC, it obfuscate > > it. > > > I'm creating ways to avoid as many attacks as I know or the literature > > mention. Here, the point is that I was wondering if GWT do not offer > > something to make sure each request is really unique, avoiding for > > example multiples requests of the same one (i.e. by tagging the > > package). > > > I checked AcrIS, but it's not for the the same purpose. > > > The idea was exchange XP on GWT security, because I might be creating > > things that the community offers. > > > -- > > You received this message because you are subscribed to the Google Groups > > "Google Web Toolkit" group. > > To post to this group, send email to [email protected]. > > To unsubscribe from this group, send email to > > [email protected]<google-web-toolkit%[email protected]> > > . > > For more options, visit this group at > >http://groups.google.com/group/google-web-toolkit?hl=en. -- You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.
