http://gwt-code-reviews.appspot.com/1251801/diff/11001/12010 File user/src/com/google/gwt/user/server/rpc/XsrfUtils.java (right):
http://gwt-code-reviews.appspot.com/1251801/diff/11001/12010#newcode62 user/src/com/google/gwt/user/server/rpc/XsrfUtils.java:62: public static <T extends Annotation> T getClassAnnotation(Class<?> clazz, Rather than copying, I would prefer to simply move it to a more central location if you don't want to just use it where it is. http://gwt-code-reviews.appspot.com/1251801/diff/11001/12010#newcode85 user/src/com/google/gwt/user/server/rpc/XsrfUtils.java:85: * consistency in duplicate cookies handling. I don't understand this comment -- why does being package-private help consistency? Also, it seems like it isn't package-private -- is this just an outdated comment? http://gwt-code-reviews.appspot.com/1251801/diff/11001/12010#newcode124 user/src/com/google/gwt/user/server/rpc/XsrfUtils.java:124: public static String getMd5DigestHexString(byte[] input) { Use Util.computeStrongName instead of recreating it here. http://gwt-code-reviews.appspot.com/1251801/diff/11001/12015 File user/test/com/google/gwt/user/client/rpc/XsrfTestServiceAsync.java (right): http://gwt-code-reviews.appspot.com/1251801/diff/11001/12015#newcode23 user/test/com/google/gwt/user/client/rpc/XsrfTestServiceAsync.java:23: void setSessionCookieName(String cookieName, AsyncCallback<Void> callback); Should we detect if annotations are placed on the Async interface instead of the sync one? That seems like an error that could be easily made, and it would result in possibly no protection where it was expected. http://gwt-code-reviews.appspot.com/1251801/show -- http://groups.google.com/group/Google-Web-Toolkit-Contributors