Question
We build a GWT app (using gwt-maven-plugin) resulting in a .war file. Currently this .war file contains a file called hosted.html, which is used to run in development (née hosted) mode, when query parameter gwt.codesvr=... is specified.
Is there a security risk in having this the .war file in production, or is there another reason to make sure this file does not end up in the .war file?
If so, what is the simplest way to do so?
Thanks!
Solution
The GWT dev plugin requires the webserver+codeserver pair of host+port to be whitelisted so there's absolutely no security risk in deploying hosted.html. The benefit of deploying it is that you can debug your app with your production server.
Note: that necessary whitelisting is to prevent “XSS triggered by a simple query-string parameter”. An attacker could otherwise make you run a trusted GWT app with their own code server.
https://stackoverflow.com/questions/15557824
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russian