[rules-dev] Guvnor XSRF attack?

Anybody else see these errors in Guvnor (5.2.0.M1)? ERROR 03-02 16:35:38,914 (LoggingHelper.java:error:70) Blocked request without GWT permutation header (XSRF attack?) java.lang.SecurityException: Blocked request without GWT permutation header (XSRF attack?) GWT2.1 introduced support for preventing XSRF attacks; see here<http://groups.google.com/group/google-web-toolkit/web/security-fo... . I get these errors quite regularly (Firefox 3.6.13, Ubuntu 10.10) both in hosted and web modes (Tomcat 6.0.30). I've looked through the GWT source and (at least in hosted mode) the additional HTTP header to prevent these errors are added as part of GWT's client-side serialisation before POSTing to our RepositoryServiceServlet. I can't therefore explain why I therefore get these errors. In my experience; once the error has occured and dismissed the page\function\operation can be repeated without the error re-occuring (i.e. view "Business rule assets" in the Tree Browser and it may fail the first time; however works the next and the next... until the server is restarted, when the cycle continues). The errors can be completely removed by overriding GWT's com.google.gwt.user.server.rpc.RemoteServiceServlet.checkPermutationStrongName to not check the HTTP header and simply return; however this effectively removes XSRF protection (although not implemented pre-GWT2.1 and hence not in Guvnor <=5.1). I put the email out so people are aware (we switched to GWT2.1 for 5.2.0.M1) so our users may start to report the same error; in which case we should perhaps be prepared for the quick fix... With kind regards, Mike