jsr344-experts@javaserverfaces-spec-public.java.net

[jsr344-experts] Public Review Draft Comments #2

From: Kito Mann <kito.mann_at_virtua.com>
Date: Thu, 6 Dec 2012 11:53:44 -0500

Here are a few more comments:

Preface, p38 -- Cross site request forgery (not client side request forgery)

2.5.3.1 -- StateHelper should be mentioned here

7.6.2.4 -- awkward sentence -- should be more like "ViewHandler has several
methods for handling cross-site scripting protecting. These method names
all have the text "protectedView" and are covered in the Javadocs."

7.6.3 -- very vague -- doesn't even explain what the View Protection API is.

I feel like we need a section explaining what "view protection" is, how it
relates to CSRF, and points readers to the relevant sections (perhaps it's
there and I missed it...)

___

Kito D. Mann | @kito99 | Author, JSF in Action
Virtua, Inc. | http://www.virtua.com | JSF/Java EE training and consulting
http://www.JSFCentral.com - JavaServer Faces FAQ, news, and info |
@jsfcentral
+1 203-404-4848 x246

* Listen to the latest headlines in the JSF and Java EE newscast: *
http://blogs.jsfcentral.com/JSFNewscast/*
* Sign up for the JSFCentral Newsletter: http://oi.vresp.com/?fid=ac048d0e17