Hot off the press: see also https://groups.google.com/d/msg/google-web-toolkit/-/PmeSgruN0Z4J
/dmc On Wed, Sep 28, 2011 at 7:20 AM, David Chandler <[email protected]>wrote: > RequestFactory does not provide built-in XSRF protection. You can set a > custom header in DefaultRequestTransport as previously suggested by Thomas > Broyer: > > > https://groups.google.com/group/google-web-toolkit/browse_thread/thread/f0f74b0734f04a1c/431c7ba0e3368c8f > > As for the session mechanism in XsrfProtectedServiceServlet, not all apps > use HttpSessions. That would be a sensible default, though. > > Cheers, > /dmc > > > On Tue, Sep 27, 2011 at 9:44 PM, Vampire <[email protected]> wrote: > >> Hi >> >> Does RequestFactory has included XSRF protection? >> For RPC Requests I see the XsrfProtectedServiceServlet. >> But I don't see a XsrfProtectedRequestFactoryServlet or similar. >> While the documentation states that RequestFactory is better and newer >> and should be used. >> Does this mean it has XSRF protection included, or would one have to >> rebuild what XsrfProtectedServiceServlet does for the >> RequestFactoryServlet? >> >> And why does the XsrfProtectedServiceServlet need the session cookie >> name injected? >> Why doesn't it simply use HttpServletRequest.getSession().getId() >> which wouldn't need any manual configuration? >> >> Regards >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Google Web Toolkit" group. >> To post to this group, send email to [email protected]. >> To unsubscribe from this group, send email to >> [email protected]. >> For more options, visit this group at >> http://groups.google.com/group/google-web-toolkit?hl=en. >> >> > > > -- > David Chandler > Developer Programs Engineer, GWT+GAE > w: http://code.google.com/ > b: http://turbomanage.wordpress.com/ > b: http://googlewebtoolkit.blogspot.com/ > t: @googledevtools > > -- David Chandler Developer Programs Engineer, GWT+GAE w: http://code.google.com/ b: http://turbomanage.wordpress.com/ b: http://googlewebtoolkit.blogspot.com/ t: @googledevtools -- You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.
