jsr372-experts@javaserverfaces-spec-public.java.net

[jsr372-experts] Re: [SPEC-523] Make the name of 'javax.faces.ViewState' configurable

From: Hazem Saleh <HAZEMS_at_eg.ibm.com>
Date: Mon, 12 Jan 2015 19:26:15 +0200

-1 I agree with Neil.
Thanks and Best regards,
_________________________
___________
Hazem Saleh
Advisory Software Engineer
Certified Expert IT Specialist L2
...................................................................................................................................
 


       hazems_at_eg.ibm.com
      My Bio
      My Books
 
       +201066698446
        ibm.com/mobilefirst Connect with IBM Mobile on:
      Find me within IBM on:





From: Neil Griffin <neil.griffin_at_portletfaces.org>
To: jsr372-experts_at_javaserverfaces-spec-public.java.net,
Date: 01/12/2015 06:58 PM
Subject: [jsr372-experts] Re: [SPEC-523] Make the name of
'javax.faces.ViewState' configurable



There are other hidden fields including ?javax.faces.encodedURL? and
?javax.faces.ClientWindow"

And when f:ajax triggers and XHR, there are standard parameters added to
the request such as ?javax.faces.partial.ajax"

If we made the name ?javax.faces.ViewState? configurable, wouldn?t we need

to make the others configurable too?

At this time I think the benefit does not outweigh the drawback.

-1

On Jan 12, 2015, at 11:29 AM, arjan tijms <arjan.tijms_at_gmail.com> wrote:

Hi,

I do agree with the motivation behind the request; indeed, looking for
"ViewState" is basically the first thing I do to discover if a site is
using JSF. In fact, a couple of sites that I suggested for the real
life JSF page were discovered by looking at this.

I do wonder how feasible it is these days to totally hide the fact
that a site is using JSF, given a couple of other giveaways like the
standard jsf AJAX script and known scripts and CSS styles from several
popular component libraries. Some patterns like the form name as
hidden parameter and the client ID pattern of components (even when
the default colon separator is changed to something else) are hints as
well.

Kind regards,
Arjan Tijms




On Mon, Jan 12, 2015 at 5:16 PM, manfred riem <manfred.riem_at_oracle.com>
wrote:
Hi all,

What is the general feeling about making the "javax.faces.ViewState" name
configurable?

Thoughts?
Manfred






picture
(image/jpeg attachment: 01-part)

picture
(image/jpeg attachment: 02-part)

picture
(image/gif attachment: 03-part)

picture
(image/jpeg attachment: 04-part)

picture
(image/gif attachment: 05-part)

picture
(image/gif attachment: 06-part)

picture
(image/gif attachment: 07-part)

picture
(image/gif attachment: 08-part)

picture
(image/gif attachment: 09-part)

picture
(image/gif attachment: 10-part)

picture
(image/gif attachment: 11-part)

© Oracle | By contributing to this project, you are agreeing to the terms of use described here.