Hi Gili,
what enhancements do you suggest? Answers to the question below suggests to use random generated token with value send previously by the server in response. This would mean that we will need to refuse every request without the header and send back the token. Then in the subsequent request the token could be used. This would increase the number of requests needed to get the resource. Or did I misunderstand something?
Javadoc of CsrfProtectionFilter precisely describes the implementation and points to resources. We can add some notice but in this case it would be good to know what is the correct implementation. Or at least to point to some resources that describe problem of this solution.
Thanks
Mira
On Jun 5, 2014, at 2:33 AM, cowwoc <cowwoc_at_bbs.darktech.org> wrote:
> According to http://security.stackexchange.com/a/23373/5002 the CSRF filter that ships with Jersey might not be safe, or not very much longer. Perhaps it's worth adding a warning to the Javadoc and/or enhancing the implementation?
>
> Gili