Reputation: 6837
is there a way to check if it's really my (signed) applet which requests the webpage on the server?
i'd like to give response only if applet is ours.
would making https request from the applet ensure that they have same origin? is it possible to do without https?
Upvotes: 0
Views: 99
Reputation: 147164
No. You can't trust the client. An adversary can look at what the applet is doing and replicate it. Alternatively, just intercept transferred data or poke around in the applet's memory.
The best you can hope to do is obfuscate. Note, this will end up being much more difficult for you than for the adversary.
Upvotes: 2
Reputation: 3968
I would suggest you use Cryptography, and send a "encrypted" parameter alongwith request. That parameter can be "decrypted" at server side and validated. The parameter's encrypted representation should be computed dynamically(like Timestamp + ).
Upvotes: 1