-1 I agree with Neil.
Thanks and Best regards,
_________________________
___________
Hazem Saleh
Advisory Software Engineer
Certified Expert IT Specialist L2
...................................................................................................................................
hazems_at_eg.ibm.com
My Bio
My Books
+201066698446
ibm.com/mobilefirst Connect with IBM Mobile on:
Find me within IBM on:
From: Neil Griffin <neil.griffin_at_portletfaces.org>
To: jsr372-experts_at_javaserverfaces-spec-public.java.net,
Date: 01/12/2015 06:58 PM
Subject: [jsr372-experts] Re: [SPEC-523] Make the name of
'javax.faces.ViewState' configurable
There are other hidden fields including ?javax.faces.encodedURL? and
?javax.faces.ClientWindow"
And when f:ajax triggers and XHR, there are standard parameters added to
the request such as ?javax.faces.partial.ajax"
If we made the name ?javax.faces.ViewState? configurable, wouldn?t we need
to make the others configurable too?
At this time I think the benefit does not outweigh the drawback.
-1
On Jan 12, 2015, at 11:29 AM, arjan tijms <arjan.tijms_at_gmail.com> wrote:
Hi,
I do agree with the motivation behind the request; indeed, looking for
"ViewState" is basically the first thing I do to discover if a site is
using JSF. In fact, a couple of sites that I suggested for the real
life JSF page were discovered by looking at this.
I do wonder how feasible it is these days to totally hide the fact
that a site is using JSF, given a couple of other giveaways like the
standard jsf AJAX script and known scripts and CSS styles from several
popular component libraries. Some patterns like the form name as
hidden parameter and the client ID pattern of components (even when
the default colon separator is changed to something else) are hints as
well.
Kind regards,
Arjan Tijms
On Mon, Jan 12, 2015 at 5:16 PM, manfred riem <manfred.riem_at_oracle.com>
wrote:
Hi all,
What is the general feeling about making the "javax.faces.ViewState" name
configurable?
Thoughts?
Manfred