GWT: XSRF: Sporadic missing X-GWT-Permutation header

My application receives occasional XSRF Attack errors raised by GWT when RemoteServiceServlet.checkPermutationStrongName() fails to find a X-GWT-Permutation HTTP Header in the HttpServletRequest. When the error occurs, the following line appears in the log file:

WARNING: doUnexpectedFailure was invoked.
java.lang.SecurityException: Blocked request without GWT permutation header (XSRF attack?)

The problem has been experienced on Firefox 3.x and 4.0 in both Hosted Mode and Web Mode.

I've ran Live Headers and the HTTP header is indeed missing.

The application is vanilla GWT RPC.

Any ideas?

Failure headers

http://127.0.0.1:8888/org.drools.guvnor.Guvnor/guvnorService

POST /org.drools.guvnor.Guvnor/guvnorService HTTP/1.1
H开发者_Python百科ost: 127.0.0.1:8888
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-GB; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.10 (maverick) Firefox/3.6.15
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-gb,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Content-Length: 154
Content-Type: text/x-gwt-rpc; charset=utf-8
Referer: http://127.0.0.1:8888/org.drools.guvnor.Guvnor/Guvnor.html?gwt.codesv...
Cookie: standalone_usage=true
Pragma: no-cache
Cache-Control: no-cache


7|0|4|http://127.0.0.1:8888/org.drools.guvnor.Guvnor/|
6808FDC8A4FA3491026441B59E4DB72A|
org.drools.guvnor.client.rpc.RepositoryService|subscribe|1|2|3|4|0|

HTTP/1.1 400 Bad Request
Content-Type: text/plain;charset=ISO-8859-1
Transfer-Encoding: chunked
Date: Wed, 23 Mar 2011 20:11:04 GMT
Server: Apache-Coyote/1.1
Connection: close

Success headers

http://127.0.0.1:8888/org.drools.guvnor.Guvnor/guvnorService

POST /org.drools.guvnor.Guvnor/guvnorService HTTP/1.1
Host: 127.0.0.1:8888
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-GB; rv:1.9.2.15) Gecko/20110303 Ubuntu/10.10 (maverick) Firefox/3.6.15
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-gb,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
X-GWT-Permutation: HostedMode
X-GWT-Module-Base: http://127.0.0.1:8888/org.drools.guvnor.Guvnor/
Content-Type: text/x-gwt-rpc; charset=utf-8
Referer: http://127.0.0.1:8888/org.drools.guvnor.Guvnor/Guvnor.html?gwt.codesv...
Content-Length: 154
Cookie: standalone_usage=true
Pragma: no-cache
Cache-Control: no-cache


7|0|4|http://127.0.0.1:8888/org.drools.guvnor.Guvnor/|
41FA1D8B82DBBBC875605A4A29670D99|
org.drools.guvnor.client.rpc.RepositoryService|subscribe|1|2|3|4|0|

HTTP/1.1 200 OK
Content-Disposition: attachment
Content-Type: application/json;charset=utf-8
Content-Length: 48
Date: Wed, 23 Mar 2011 20:15:38 GMT
Server: Apache-Coyote/1.1 

I am facing the same problem with my application. Looks like FireFox 3.x is not sending extra request header when set in the XmlHttpRequest object!

Quick fix to this is in the RPC implementation at server side override method checkPermutationStrongName() with empty implementation.

@Override
protected void checkPermutationStrongName() throws SecurityException {
    return;
}

I think we need to report this as an issue to FireFox to get a proper fix.

Based on my experience, FF occasionally drops any header that begins with "X-".

This error appeared in our logs for first time on March 30, so it can be related to FF 4.0, I think (FF4 was shipped on 22.03). Few days before we also migrated from GWT 2.0.4 to 2.1.1. This also can be a hint. Our app is heavily tested on production envirnoment for 7 months. Maybe this information will help someone. I was looking for method of detecting an outdated gwt app in browser cache. When application is deployed on server, I check permutation names generated with current build and store it to a list. Every RPC request is checked for existence of gwt permutation it was sent by. With this error my mechanism is blown up.