>>>>> On Fri, 22 Jul 2011 17:50:21 -0700, Blake Sullivan <blake.sullivan_at_oracle.com> said:
B> Ed,
B> It may have been at the 24th hour, but I believe that Alexander is
B> correct. If we are only applying CSRF protection to form POSTs, why
B> isn't the view state token completely sufficient? If we are attempting
B> to apply CSRF protection to GETs, there are other issues that are going
B> to crop up.
We want to apply it to any views to which the user wants it applied,
regardless of GET or POST. I understand that the existing view state
token takes a lot of the way there for pages using POST, however, there
is no requirement that the view token be cryptographically strong. The
20110707 proposal addresses this by enhancing the spec for
getActionURL. The proposal also addresses GET based pages by allowing
you to delineate which views in the app are protected and not, and by
building on the form rendering such that non-protected pages can get to
protected pages via GET with UIViewParameter elements.
Blake, do you have some specific concerns?
Ed
--
| edward.burns_at_oracle.com | office: +1 407 458 0017
| homepage: | http://ridingthecrest.com/