There are other hidden fields including “javax.faces.encodedURL” and “javax.faces.ClientWindow"
And when f:ajax triggers and XHR, there are standard parameters added to the request such as “javax.faces.partial.ajax"
If we made the name “javax.faces.ViewState” configurable, wouldn’t we need to make the others configurable too?
At this time I think the benefit does not outweigh the drawback.
-1
> On Jan 12, 2015, at 11:29 AM, arjan tijms <arjan.tijms_at_gmail.com> wrote:
>
> Hi,
>
> I do agree with the motivation behind the request; indeed, looking for
> "ViewState" is basically the first thing I do to discover if a site is
> using JSF. In fact, a couple of sites that I suggested for the real
> life JSF page were discovered by looking at this.
>
> I do wonder how feasible it is these days to totally hide the fact
> that a site is using JSF, given a couple of other giveaways like the
> standard jsf AJAX script and known scripts and CSS styles from several
> popular component libraries. Some patterns like the form name as
> hidden parameter and the client ID pattern of components (even when
> the default colon separator is changed to something else) are hints as
> well.
>
> Kind regards,
> Arjan Tijms
>
>
>
>
> On Mon, Jan 12, 2015 at 5:16 PM, manfred riem <manfred.riem_at_oracle.com> wrote:
>> Hi all,
>>
>> What is the general feeling about making the "javax.faces.ViewState" name
>> configurable?
>>
>> Thoughts?
>> Manfred
>>