Safari, GET and CSRF

Versions of Safari (up to 1.2) and Opera Mobile (up to at least 8.6.5) have buggy XHR implementations that claim to support GET and POST, however the body of POST requests is lost.

To work around this limitation DWR automatically detects buggy versions of Safari and switches from POST (the default) to GET.

There are 2 downsides of GET:

• There is a limit to the amount of data that can be passed in a GET request, and it's not hard to hit that limit.
• GET requests are a lot easier to forge than POST requests. POST is still forgable using DOM form manipulation (in fact DWR does this to submit iframe/POST requests) however it is more work, so it will slow attackers down.

From DWR version 2.0 the default is to disallow GET requests because the majority of Safari users are on less buggy versions of the browser.

If you wish to enable GET for maximum compatibility, and accept the slightly increased security risks, you should set the allowGetForSafariButMakeForgeryEasier init-param to true.

Add to your WEB-INF/web.xml as follows:

<servlet>
  <servlet-name>dwr-invoker</servlet-name>
  <servlet-class>org.directwebremoting.servlet.DwrServlet</servlet-class>
  <init-param>
    <param-name>allowGetForSafariButMakeForgeryEasier</param-name>
    <param-value>true</param-value>
  </init-param>
</servlet>