I have read the discussion at
http://groups.google.com/group/google-web-toolkit/web/security-for-gwt-applicationsand
follow it completely. The general recommendation to prevent Cross Site
Scripting is to duplicate the session id in the http request payload. Doing
that takes some effort, and I don't
in witch class you see this "When I went through the code for GWT's
RemoteServiceServlet, I see that it checks for the presence of a HTTP
header "X-GWT-Permutation", and fails the service if absent. " ?
On 16 set, 11:55, Sripathi Krishnan
wrote:
> I have read the discussion
> athttp://groups.go
*1) *The client class RpcRequestBuilder sets the following headers in the
doFinish() method --
protected void doFinish(RequestBuilder rb) {
rb.setHeader(STRONG_NAME_HEADER, GWT.getPermutationStrongName());
rb.setHeader(MODULE_BASE_HEADER, GWT.getModuleBaseURL());
}
*2) *On the server
