2

We have developed a web application using Java and GWT, Now we are fixing the following issues:

Security Issues:

  1. X-Frame-Options:
  2. X-XSS-Protection:

Cookie:

  1. HttpOnly and Secure

From the above 3 issues we are able to fix the first 2 issues but unable to fix third issue, because we are accessing cookies created by server at client side which is developed with GWT(javascript). So We are thinking that, it can not be fixed for our application Or can it be ignored because we fixed for "X-Frame-Options" which disallows javascript injection into our website.

Please give me suggestion about our above issue.

M.S.Naidu
  • 2,239
  • 5
  • 32
  • 56
  • What is you application server? – seenukarthi Aug 07 '15 at 07:23
  • We are using apache tomcat-7(.0.63) – M.S.Naidu Aug 07 '15 at 07:25
  • Check http://stackoverflow.com/questions/33412/how-do-you-configure-httponly-cookies-in-tomcat-java-webapps and https://tomcat.apache.org/migration-7.html#Session_cookie_configuration – seenukarthi Aug 07 '15 at 07:26
  • @KarthikeyanVaithilingam, Thank for the link, Since we are using gwt at client side, we can not do all the stuff at tomcat level. – M.S.Naidu Aug 07 '15 at 07:28
  • @M.S.Naidu: Please share how you resolved all those security issues. I am facing exactly same problem with one of my application developed using smartgwt deployed in JBoss 5. – Karthikeyan Dec 01 '17 at 04:57

2 Answers2

1

HttpOnly and Secure

You can set the secure flag on cookies and you will still be able to access them via JavaScript. Please note that the whole of the application that uses GWT will need to be accessed over https for this to work.

If your application requires that all cookies are read via JavaScript then you cannot set the http only flag. Please note that this is only important for session or authentication cookies - if it is possible to set those to http only and leave your others without the flag then this is the way to go.

Note that X-Frame-Options does not provide any more protection against JavaScript injection into your website than normal. The Same Origin Policy does this as standard. X-Frame-Options simply prevents your site loading into a frameset or IFrame to mitigate clickjacking.

SilverlightFox
  • 32,436
  • 11
  • 76
  • 145
0

The GWT Cookies.setCookie method doesn't support HttpOnly. You can just create your own setCookie method to set it if you like. However, you won't be able to read the cookie from JavaScript if you do.

I needed to set the cookie value SameSite to be Lax, so just created the following method:

public static native void setCookie(String name, String value, double expires, boolean secure) /*-{
    var c = name + '=' + value;
    if (expires)
        c += ';expires=' + (new Date(expires)).toGMTString();
    if (secure)
        c += ';secure;SameSite=Lax';
    $doc.cookie = c;
}-*/;

Easy! :)

Craigo
  • 3,384
  • 30
  • 22