GWT RPC - Does it do enough to protect against CSRF ?
Posted
by sri
on Stack Overflow
See other posts from Stack Overflow
or by sri
Published on 2010-04-09T18:20:02Z
Indexed on
2010/04/09
18:23 UTC
Read the original article
Hit count: 354
GWT's RPC mechanism does the following things on every HTTP Request -
- Sets two custom request headers - X-GWT-Permutation and X-GWT-Module-Base
- Sets the content-type as text/x-gwt-rpc; charset=utf-8
The HTTP request is always a POST, and on server side GET methods throw an exception (method not supported).
Also, if these headers are not set or have the wrong value, the server fails processing with an exception "possibly CSRF?" or something to that effect.
Question is : Is this sufficient to prevent CSRF? Is there a way to set custom headers and change content type in a pure cross-site request forgery method?
© Stack Overflow or respective owner