GWT RPC - Does it do enough to protect against CSRF ?

Posted by sri on Stack Overflow See other posts from Stack Overflow or by sri
Published on 2010-04-09T18:20:02Z Indexed on 2010/04/09 18:23 UTC
Read the original article Hit count: 352

Filed under:
|
|
|

GWT's RPC mechanism does the following things on every HTTP Request -

  1. Sets two custom request headers - X-GWT-Permutation and X-GWT-Module-Base
  2. Sets the content-type as text/x-gwt-rpc; charset=utf-8

The HTTP request is always a POST, and on server side GET methods throw an exception (method not supported).

Also, if these headers are not set or have the wrong value, the server fails processing with an exception "possibly CSRF?" or something to that effect.

Question is : Is this sufficient to prevent CSRF? Is there a way to set custom headers and change content type in a pure cross-site request forgery method?

© Stack Overflow or respective owner

Related posts about gwt

Related posts about gwt-rpc