On Mon, Jul 25, 2011 at 8:49 PM, Blake Sullivan
<blake.sullivan_at_oracle.com>wrote:
>
> As far as controlling which pages this applies to, it seems like kind of a
> pain and I would prefer that we look at ways of making this simpler or
> possibly combining with other page-level metadata that the application
> developers might wish to add.
>
I really think it should be easy to turn this on -- you shouldn't have to
earmark every page if you don't want to. The possible attacks using GET
requests are pretty well documented, and since JSF apps have no restrictions
on what type of actions you can perform, we can't guarantee that people
aren't doing updates during GETs.
>
> -- Blake Sullivan
>
> The
>> 20110707 proposal addresses this by enhancing the spec for
>> getActionURL. The proposal also addresses GET based pages by allowing
>> you to delineate which views in the app are protected and not, and by
>> building on the form rendering such that non-protected pages can get to
>> protected pages via GET with UIViewParameter elements.
>>
>> Blake, do you have some specific concerns?
>>
>> Ed
>>
>>
>