In addition, note that it's relatively easy to mark-up a link or image for malicious inclusion in an unsuspecting page. Note also that these controls interact with the server through GET requests. So make sure you follow REST adivce and make all your GET service routines "safe". No side effects for GETS, in other words.
Walden On Oct 1, 1:03 pm, walden <[EMAIL PROTECTED]> wrote: > Yes, and those cross-site attacks depend on your server (and/or your > client) taking user input and blindly embedding it in the DOM, so that > the user can create links and buttons and images and the like on the > page you supposedly control. So don't do that, and then you can use > HTTP standards for authentication. > > Walden > > On Oct 1, 8:40 am, Lothar Kimmeringer <[EMAIL PROTECTED]> wrote: > > > > > walden schrieb: > > > > However, I'm suggesting a simpler approach, one which I'm using on my > > > project, which is simply configuring your server to protect the > > > resources you want protected using HTTP Digest authentication. > > > Depending on what your server is, find the documentation on > > > configuring that. There's not a whole lot more to it. > > > HTTP Digest authentication has the same problem like Session-IDs > > in Cookies. A browser automatically transfer the authentication- > > credentials for every request, so you're in danger of successful > > cross-site-attacks. > > > Regards, Lothar- Hide quoted text - > > - Show quoted text - --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To post to this group, send email to Google-Web-Toolkit@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/Google-Web-Toolkit?hl=en -~----------~----~----~----~------~----~------~--~---
