Two additions: The goal of the XSRF protection implementation in 2.3 was most likely to generate transaction tokens, that is, a unique shared secret for each individual transaction. What I'm questioning is whether a transparent and "always active" protection would increase security of actual deployed GWT applications. I understand that there are additional risks with a session-scoped XSRF token but I think it would already be much better than the current situation.
The XSRF protection document mentions that it is a stateless solution. On a stateless server HTTP sessions would be disabled though. Instead of subclassing and replacing the session-specific code, a really stateless variant should be provided. You could instead use an HMAC of the "action signature". This has been implemented for JSF here: https://issues.jboss.org/browse/JBSEAM-4007 -- You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.
