Here are a few more comments:
Preface, p38 -- Cross site request forgery (not client side request forgery)
2.5.3.1 -- StateHelper should be mentioned here
7.6.2.4 -- awkward sentence -- should be more like "ViewHandler has several
methods for handling cross-site scripting protecting. These method names
all have the text "protectedView" and are covered in the Javadocs."
7.6.3 -- very vague -- doesn't even explain what the View Protection API is.
I feel like we need a section explaining what "view protection" is, how it
relates to CSRF, and points readers to the relevant sections (perhaps it's
there and I missed it...)
___
Kito D. Mann | @kito99 | Author, JSF in Action
Virtua, Inc. |
http://www.virtua.com | JSF/Java EE training and consulting
http://www.JSFCentral.com - JavaServer Faces FAQ, news, and info |
@jsfcentral
+1 203-404-4848 x246
* Listen to the latest headlines in the JSF and Java EE newscast: *
http://blogs.jsfcentral.com/JSFNewscast/*
* Sign up for the JSFCentral Newsletter:
http://oi.vresp.com/?fid=ac048d0e17