I have a GWT application that opens a second browser window. I would like my second window to be able to call a method within the entry point of the first window.
The code sample below works in production (web) mode, but when I try running it in hosted mode, IE detects XSS and overwrites the page with a single "#" to protect against the detected attack. I'm guessing this is because my GWT code server is running on localhost while the application I'm testing is deployed on a virtual machine.
Update: It appears that IE XSS Filtering is sporadic. Sometimes I'm able to get the page to load. But awhile later it starts filtering again.
public class MainWindow implements EntryPoint {
...
@Override
public void onModuleLoad() {
registerJSNIFunctions(this);
}
private native void registerJSNIFunctions(MainWindow mw) /*-{
$wnd.sayHi = function (name) {
mw.@MainWindow::sayHi(Ljava/lang/String;)(name);
}
}-*/;
public void sayHi(String name) {
alert("Hi " + name); // not valid, but you get the point
}
...
}
public class SecondWindow implements EntryPoint {
...
@Override
public void onModuleLoad() {
...
sayHi("kylos");
}
public static native void sayHi(String name) /*-{
$wnd.opener.window.$wnd.sayHi(name);
}-*/;
}
Any ideas on how I could get this to work in hosted mode? Or is there a better way to do cross-window communication with GWT?
So the issue seems to be sporadic. I'm not sure how exactly the filter gets triggered, but when it does, the rewritten page gets cached by IE so future requests are guaranteed to fail until the browser cache is emptied.
I also found this Microsoft document that describes a custom header, X-XSS-Protection, that can be used to disable the filter. Obviously, this should only be used on a dev system in hosted mode.
To disable the filter, add the following header to your server configuration:
X-XSS-Protection: 0