On Wed, Jun 9, 2010 at 7:25 AM, Stuart Douglas <[email protected]>wrote:
> > It looks like this only affects apps that use encrypted client side state > saving? > Client-side state saving is extremely vulnerable to security hacks, something Christian and I have discussed extensively. The problem is, with client-side scripting, all the trust is on the client. You've got to have something on the server (or some other trust provider) to cross reference the request or else you are just asking for trouble. That's a lot of what the s:token tag is about...which we will be reviewing soon as we bring it into Seam 3. http://seamframework.org/Community/NewComponentTagStokenAimedToGuardAgainstCSRF http://seamframework.org/Documentation/CrossSiteRequestForgery -Dan -- Dan Allen Senior Software Engineer, Red Hat | Author of Seam in Action Registered Linux User #231597 http://mojavelinux.com http://mojavelinux.com/seaminaction http://www.google.com/profiles/dan.j.allen
_______________________________________________ seam-dev mailing list [email protected] https://lists.jboss.org/mailman/listinfo/seam-dev
