Hi Arjan,
> Am 26.02.2015 um 12:29 schrieb arjan tijms <arjan.tijms_at_gmail.com>:
>
> In general it provides an attack surface of which many JSF users are
> clearly not aware off. I strongly feel JSF should be safe by default,
> and not only after the user fiddled with many moving parts.
I understand this. The first thing I usually do in a new project is removing all those X-Powered-By headers, which are also on by default.
> For extensionless mapping it's kinda important to know which things
> are views, and which things are not views.
I still think, scanning all facelets on startup and looking for an f:view tag is an option to find all views. I have a project with more than 1300 facelets doing this. It takes about a second.
> It's not so nice to just
> randomly map the FacesServlet to every *.xhtml file the runtime
> encounters. Security aside, you just don't want to have
> http://myhost.net/includes/dataForm resolve to anything if
> /includes/dataform is not a top-level view.
We can send a 403 if there is no f:view tag in the requested facelet.
> In general, having a clear idea of what are top-level views and what
> are not is a powerful tool that extension libraries can take advantage
> of for all kinds of things.
>
> I do have to stress that the proposed /views folder is -an- enabler,
> but I'm of course open to explore other options to reach the same goal
> (prevent source code exposure and determine if a Facelet is a
> top-level view or not).
I’d like to go with the facelet scanning.
I have another point about extensionless mapping. If the main purpose is SEO, than this only helps for english web sites. Most projects I have seen In Germany usually use english as the technical language. So all facelets have english names. But for SEO they need german URLs. I believe it is the same for many other countries. Are there any other use cases for extensionless mapping?
Ciao Frank