Anybody else see these errors in Guvnor (5.2.0.M1)?<br><br><span style="font-family: courier new,monospace;">ERROR 03-02 16:35:38,914 (LoggingHelper.java:error:70)      Blocked request without GWT permutation header (XSRF attack?)</span><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;">java.lang.SecurityException: Blocked request without GWT permutation header (XSRF attack?)</span><br style="font-family: courier new,monospace;"><br>GWT2.1 introduced support for preventing XSRF attacks; see <a href="http://groups.google.com/group/google-web-toolkit/web/security-for-gwt-applications?pli=1">here</a>.<br>
<br>I get these errors quite regularly (Firefox 3.6.13, Ubuntu 10.10) both in hosted and web modes (Tomcat 6.0.30). I&#39;ve looked through the GWT source and (at least in hosted mode) the additional HTTP header to prevent these errors are added as part of GWT&#39;s client-side serialisation before POSTing to our RepositoryServiceServlet. I can&#39;t therefore explain why I therefore get these errors. In my experience; once the error has occured and dismissed the page\function\operation can be repeated without the error re-occuring (i.e. view &quot;Business rule assets&quot; in the Tree Browser and it may fail the first time; however works the next and the next... until the server is restarted, when the cycle continues). The errors can be completely removed by overriding GWT&#39;s com.google.gwt.user.server.rpc.RemoteServiceServlet.checkPermutationStrongName to not check the HTTP header and simply return; however this effectively removes XSRF protection (although not implemented pre-GWT2.1 and hence not in Guvnor &lt;=5.1).<br>
<br>I put the email out so people are aware (we switched to GWT2.1 for 5.2.0.M1) so our users may start to report the same error; in which case we should perhaps be prepared for the quick fix...<br><br>With kind regards,<br>
<br>Mike<br>