Can we develop ourselves JavaScriptServlet?

[zhengjiudan]

Currently we are suing version 3.1 where we use JavaScriptServlet::doPost to fetch the token. But doPost changes a lot on version 4.1. As we don't want big change on front end, we want to introduce another Servlet whose doPost returns the master token. I just want to confirm if this solution will introduce any vulnerability. From my perspective, as doGet of new version Servlet returns MasterToken as well, I don't see any vulnerability of letting doPost to return MasterToken.

I understand CSRFGuard 4.1 is not to store token in HTTP session any more which is to prevent XSS attack. Is this the case?

[forgedhallpass]

Hello @zhengjiudan,

The upgrade from 3.x to 4.x should be seamless. You shouldn't need to modify any code.

Please refer to the other related discussions:

• Backward compatibility and support for varies deployment. #91 (reply in thread)
• Change in the JavaScriptServlet doPost() logic in 4.1.1 from 3.1.0 #52 (comment)
• Difference between 3.1.0 and 4.1.0 with respect to where the token is saved in the container #51 (comment)
• retrieving tokens from TokenHolder interface #98 (comment)
• CsrfGuard.getSessionKey() replacement? #102 (comment)