Recently I've been working on some Google Web Toolkit (GWT) libraries that involve JSON and JSONP. While working on this project, I've been reminded just how tricky AJAX can be. It's no secret that there are a lot of people out there who spend huge portions of their lives thinking up ways to steal your data (or worse). Unfortunately, the same cool tricks that let you build AJAX sites and mashups also make it easy to build unsafe web applications. Some of the attacks evildoers have come up with are downright devious!
One of the key goals of GWT is to let developers focus on their users' needs, instead of on JavaScript and browser quirks. However, the consequences of a security exploit can be serious, so it's important that GWT developers understand how such attacks work, and how to prevent them.
To help get the word out, I've put together an article on my experiences. Eventually we'll merge its contents into the GWT Developer Documentation, but we thought that it was important to get this out to GWT developers rather than wait for the next documentation update.
You can find the article here: Security for GWT Applications. I hope you find it useful; if you do (or even if you don't), please feel free to let me know in the GWT Developer Forum!
