How to determine space available to RootPanel.get('some_div')?
Greetings, I'm writing a simple client-side-only photo gallery and want to determine the space available in the host page. The app is added inside a div element in the host page and I know I can get the top and left offsets for that div, but I cannot for the life of me work out how to get the bottom and right offsets too. I can make assumptions about what they /might/ be based on top and left, but in practise this doesn't work well. Is there a best practise for getting the space available to an app? Anyone got any good ideas? Examples? Should I RTFM? --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Google Web Toolkit group. To post to this group, send email to google-web-toolkit@googlegroups.com To unsubscribe from this group, send email to google-web-toolkit+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en -~--~~~~--~~--~--~---
CSRF protection for RPC calls - Generate cookie on the client - is it safe?
Hello GWTers! Having read the XSRF and GWT section of the page at http://groups.google.com/group/Google-Web-Toolkit/web/security-for-gwt-applications I'm trying to implement the suggested protection which involves sending an extra 'cookie value' param in GWT calls and then comparing that value with the value of the cookie header. My question involves the generation of the cookie value and whether it is safe to do this on the client. As long as it doesn't impact client performance, it seems to me that generating a random token, setting the cookie with that token and sending the same token as a param in RPC calls would be a neat way to offload CPU cycles to the client. The server would then only need to compare the cookie header with the token received in each RPC call and drop the call if the values don't match (on the assumption that the call hasn't been made by the logged- in client). Is that safe? Is there a way for a forged request to include a cookie? If the server merely compares two arbitrary strings, wouldn't it be easy for a forger to bypass the restrictions relied upon for this type of protection? Any insights gratefully received. Cheers. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups Google Web Toolkit group. To post to this group, send email to Google-Web-Toolkit@googlegroups.com To unsubscribe from this group, send email to google-web-toolkit+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/Google-Web-Toolkit?hl=en -~--~~~~--~~--~--~---