Hi
I finally created this issue:
http://java.net/jira/browse/JAVASERVERFACES_SPEC_PUBLIC-1161
CSRF protection cannot be used "out of the box" without create a
custom component or override forcefully ExternalContext
I think we definitively need to fix it before 2.2, because looking the
feature as a whole, my impression is the code is just
incomplete/broken. The user will be forced to write the same code to
use it (create custom component for a link or button and optionally
override some ExternalContext method to append the query param. (how
to test it without do the previous steps?).
regards,
Leonardo Uribe
2013/1/31 Edward Burns <edward.burns_at_oracle.com>
>
> >>>>> On Tue, 22 Jan 2013 13:57:36 -0500, Leonardo Uribe <lu4242_at_gmail.com> said:
>
> LU> In this case the same pattern could be applied. A param in h:link /
> LU> h:button
> LU> like enableViewProtection or something like that could be helpful.
>
> If you feel it's worthwhile, please file an issue. Otherwise, I think
> it can wait til after 2.2.
>
> Ed
>
> --
> | edward.burns_at_oracle.com | office: +1 407 458 0017
> | homepage: | http://ridingthecrest.com/