RequestFactory (and GWT RPC as well) automatically adds a custom http header
("X-GWT-Permutation") to each request. See
DefaultRequestTransport.java<http://code.google.com/p/google-web-toolkit/source/browse/trunk/user/src/com/google/gwt/requestfactory/client/DefaultRequestTransport.java#120>.
In
modern browsers, it is impossible to add such a request header in a
cross-site manner. Because of this feature, most developers don't need to
worry about CSRF - GWT automatically protects them.However, old versions of flash allow an attacker to set custom http headers, thus bypassing default CSRF protection. If your website has users that use outdated versions of flash, those specific users only would be vulnerable to CSRF. If you think this is sufficient risk, you will have to continue sending the sessionid in the request and verifying it on the server. To do so, you can extend DefaultRequestTransport as mentioned by Thomas<http://groups.google.com/group/google-web-toolkit/browse_thread/thread/e835c3153bc62f4c/751df0dc6aa7eb40?lnk=gst&q=entitymanagerfactory#751df0dc6aa7eb40>, and add the user specific session id as a request header. Then, on the server side, match the ids in the session object and the request header. If they are not equal, abort the request. --Sri On 1 December 2010 10:26, David Chandler <drfibona...@google.com> wrote: > Hi Daniel, > > I haven't tested it yet, but I believe you can extend > DefaultRequestTransport as discussed in this thread to set a request > header containing your session ID or other XSRF token: > > > http://groups.google.com/group/google-web-toolkit/browse_thread/thread/e835c3153bc62f4c/751df0dc6aa7eb40?lnk=gst&q=entitymanagerfactory#751df0dc6aa7eb40 > > HTH, > /dmc > > On Tue, Nov 30, 2010 at 10:38 PM, Daniel Cowx <daniel.c...@gmail.com> > wrote: > > Hi guys, > > > > I've been using GWT-RPC up until this point, but would like to make > > the switch to RequestFactory shortly. I'm a bit confused as to how to > > prevent CSRF/XSRF with RequestFactory though. > > > > As per > http://code.google.com/p/google-web-toolkit-incubator/wiki/LoginSecurityFAQ > , > > up to this point I've been sending the session ID within the *payload* > > of each RPC. Works great. Should I be doing something similar with > > RequestFactory? Any and all suggestions greatly welcome! > > > > Thanks, > > Daniel > > > > -- > > You received this message because you are subscribed to the Google Groups > "Google Web Toolkit" group. > > To post to this group, send email to google-web-toolkit@googlegroups.com > . > > To unsubscribe from this group, send email to > google-web-toolkit+unsubscr...@googlegroups.com<google-web-toolkit%2bunsubscr...@googlegroups.com> > . > > For more options, visit this group at > http://groups.google.com/group/google-web-toolkit?hl=en. > > > > > > > > -- > David Chandler > Developer Programs Engineer, Google Web Toolkit > http://googlewebtoolkit.blogspot.com/ > > -- > You received this message because you are subscribed to the Google Groups > "Google Web Toolkit" group. > To post to this group, send email to google-web-tool...@googlegroups.com. > To unsubscribe from this group, send email to > google-web-toolkit+unsubscr...@googlegroups.com<google-web-toolkit%2bunsubscr...@googlegroups.com> > . > For more options, visit this group at > http://groups.google.com/group/google-web-toolkit?hl=en. > > -- You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To post to this group, send email to google-web-tool...@googlegroups.com. To unsubscribe from this group, send email to google-web-toolkit+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.
