Safari, GET and CSRF

Versions of Safari (up to 1.2) and Opera Mobile (up to at least 8.6.5) have buggy XHR implementations that claim to support GET and POST, however the body of POST requests is lost.

To work around this limitation DWR automatically detects buggy versions of Safari and switches from POST (the default) to GET.

There are 2 downsides of GET:

From DWR version 2.0 the default is to disallow GET requests because the majority of Safari users are on less buggy versions of the browser.

If you wish to enable GET for maximum compatibility, and accept the slightly increased security risks, you should set the allowGetForSafariButMakeForgeryEasier init-param to true.

Add to your WEB-INF/web.xml as follows:

<servlet>
  <servlet-name>dwr-invoker</servlet-name>
  <servlet-class>org.directwebremoting.servlet.DwrServlet</servlet-class>
  <init-param>
    <param-name>allowGetForSafariButMakeForgeryEasier</param-name>
    <param-value>true</param-value>
  </init-param>
</servlet>