Hi, We keep getting sporadic XSRF attack errors in Hosted Mode.
They normally occur only when an application feature is first accessed (we don't use code-splitting so it might be a red herring). We use vanilla GWT RPC. I've recorded the HTTP headers for a good request and bad (i.e, XSRF attack) request. The bad request lacks the GWT header the XSRF protection expects so the error is understandable. Has anybody else experienced any problems? Have any suggestions (other than overriding RemoteServiceServlet.checkPermutationStrongName and effectively removing XSRF protection)? ===> Fail http://127.0.0.1:8888/org.drools.guvnor.Guvnor/guvnorService POST /org.drools.guvnor.Guvnor/guvnorService HTTP/1.1 Host: 127.0.0.1:8888 User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-GB; rv:1.9.2.15) Gecko/ 20110303 Ubuntu/10.10 (maverick) Firefox/3.6.15 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/ *;q=0.8 Accept-Language: en-gb,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 115 Connection: keep-alive Content-Length: 154 Content-Type: text/x-gwt-rpc; charset=utf-8 Referer: http://127.0.0.1:8888/org.drools.guvnor.Guvnor/Guvnor.html?gwt.codesvr=127.0.0.1:9997 Cookie: standalone_usage=true Pragma: no-cache Cache-Control: no-cache 7|0|4|http://127.0.0.1:8888/org.drools.guvnor.Guvnor/| 6808FDC8A4FA3491026441B59E4DB72A| org.drools.guvnor.client.rpc.RepositoryService|subscribe|1|2|3|4|0| HTTP/1.1 400 Bad Request Content-Type: text/plain;charset=ISO-8859-1 Transfer-Encoding: chunked Date: Wed, 23 Mar 2011 20:11:04 GMT Server: Apache-Coyote/1.1 Connection: close ===> Success http://127.0.0.1:8888/org.drools.guvnor.Guvnor/guvnorService POST /org.drools.guvnor.Guvnor/guvnorService HTTP/1.1 Host: 127.0.0.1:8888 User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-GB; rv:1.9.2.15) Gecko/ 20110303 Ubuntu/10.10 (maverick) Firefox/3.6.15 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/ *;q=0.8 Accept-Language: en-gb,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 115 Connection: keep-alive X-GWT-Permutation: HostedMode X-GWT-Module-Base: http://127.0.0.1:8888/org.drools.guvnor.Guvnor/ Content-Type: text/x-gwt-rpc; charset=utf-8 Referer: http://127.0.0.1:8888/org.drools.guvnor.Guvnor/Guvnor.html?gwt.codesvr=127.0.0.1:9997 Content-Length: 154 Cookie: standalone_usage=true Pragma: no-cache Cache-Control: no-cache 7|0|4|http://127.0.0.1:8888/org.drools.guvnor.Guvnor/| 41FA1D8B82DBBBC875605A4A29670D99| org.drools.guvnor.client.rpc.RepositoryService|subscribe|1|2|3|4|0| HTTP/1.1 200 OK Content-Disposition: attachment Content-Type: application/json;charset=utf-8 Content-Length: 48 Date: Wed, 23 Mar 2011 20:15:38 GMT Server: Apache-Coyote/1.1 Thanks, -- You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To post to this group, send email to google-web-toolkit@googlegroups.com. To unsubscribe from this group, send email to google-web-toolkit+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.
