Re: [seam-dev] XSRF and JSF2
I created a new JIRA issue to remind me to do something about
preventing/limiting XSS attacks in Seam Remoting:
https://jira.jboss.org/jira/browse/JBSEAM-3482
However I'm still not totally clear how I should be tackling this
problem, probably because I don't fully understand the mechanism behind
an XSS attack. We already have an incremental call ID value passed with
each remote request, so this could possibly be used as our "canary"
value. In any case, could you please walk me through the moving parts
of an XSS attack step by step just so we're clear on what needs to be
protected?
Christian Bauer wrote:
Because it is back on Slashdot again today, I remembered why the
"let's automatically build a view if we don't have one in RESTORE VIEW
phase" proposal in JSF 2.0 was not sitting right with me.
You need a little background on XSRF (Wikipedia or something) and see
the older discussion here and especially my last comment:
http://www.seamframework.org/Community/IsSeamRemotingVulnerableToCrossSit...
I actually now think that we should have a cryptographically strong
(and of course mandatory) view identifier for better XSRF protection.
There are some other solutions worth discussing but AFAIK most of the
good ones involve a token/session mapping of some kind, so we run into
the "view has expired" problem again.
_______________________________________________
seam-dev mailing list
seam-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/seam-dev