search

Letractively / webpasswordsafe

Automatically exported from code.google.com/p/webpasswordsafe
0 stars 0 forks source link

Research GWT's new built in XSRF protection #53

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago 
As of version 2.3, GWT claims to have implemented stronger CSRF protection by 
default.  The previous model wasn't strong enough to depend on in a highly 
secure application like WebPasswordSafe, so we implemented our own on top of 
theirs.  Research if this new model is strong enough, and if so migrate to it 
to be more standardized and supported.

http://code.google.com/webtoolkit/doc/latest/DevGuideSecurityRpcXsrf.html

Original issue reported on code.google.com by joshdrum...@gmail.com on 22 Nov 2011 at 7:22

GoogleCodeExporter commented 8 years ago

Original comment by joshdrum...@gmail.com on 23 Nov 2011 at 6:41

GoogleCodeExporter commented 8 years ago 
The new GWT build in solution does look adequate enough.  Their model of 
requiring an extra RPC call for the csrf token is more cumbersome than setting 
it via a cookie like I had before, but having to make that extra call may be 
more compatible with some server setups than setting cookies in proxied or 
clustered app servers.

Original comment by joshdrum...@gmail.com on 4 Dec 2011 at 6:56