On Thursday, March 2, 2017 at 8:01:18 AM UTC+1, gitzzz wrote: > > Hi! I use RequestBuilder for client-server communication. And I have some > questions: > > For example we make http request to ".../get.php"(function(), select some > data from DB and send it back). Response is an array[1,2,3,4,5] > > On client side onTheButtonClick we can change the data, the > new_array[1,3,6,8,9], and now we need to send this changes to DB. And > onSaveButtonClick() we make http post request to ".../set.php" with > parameters = new_array > > The question is: does it safe? Is it possible that anybody authed user can > make this call by creating JS script with http post request and send his > own(fake) data?(e.g. fake_array[10,20,30,23,12]) without clicking a button. > How can I send change data from client side to a server safely? >
What you're describing is a Cross-Site Request Forgery (CSRF) attack and is absolutely possible. Your server code needs to check the origin of the request to prevent them (if there's an Origin header, use it, otherwise use the Referer header; check that the scheme, hostname and port match the current request –or any origin you decide to trust for issuing such requests–; and if there's neither you should refuse the POST request, but you should know that some corporate proxies remove Referer headers, so without HTTPS to prevent this man-in-the-middle situation you're going to need CSRF "tokens" and this is a bit painful to manage correctly). See https://www.w3.org/TR/cors/ for the gory details. -- You received this message because you are subscribed to the Google Groups "GWT Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to google-web-toolkit+unsubscr...@googlegroups.com. To post to this group, send email to google-web-toolkit@googlegroups.com. Visit this group at https://groups.google.com/group/google-web-toolkit. For more options, visit https://groups.google.com/d/optout.
