users@javaserverfaces-spec-public.java.net

[jsr372-experts mirror] [jsr372-experts] Re: Re: [SPEC-523] Make the name of 'javax.faces.ViewState' configurable

From: Kito Mann <kito.mann_at_virtua.com>
Date: Mon, 12 Jan 2015 12:14:45 -0500

-1 I agree with Neil.


On Mon, Jan 12, 2015 at 11:58 AM, Neil Griffin <
neil.griffin_at_portletfaces.org> wrote:

> There are other hidden fields including "javax.faces.encodedURL" and
> "javax.faces.ClientWindow"
>
> And when f:ajax triggers and XHR, there are standard parameters added to
> the request such as "javax.faces.partial.ajax"
>
> If we made the name "javax.faces.ViewState" configurable, wouldn't we need
> to make the others configurable too?
>
> At this time I think the benefit does not outweigh the drawback.
>
> -1
>
> On Jan 12, 2015, at 11:29 AM, arjan tijms <arjan.tijms_at_gmail.com> wrote:
>
> Hi,
>
> I do agree with the motivation behind the request; indeed, looking for
> "ViewState" is basically the first thing I do to discover if a site is
> using JSF. In fact, a couple of sites that I suggested for the real
> life JSF page were discovered by looking at this.
>
> I do wonder how feasible it is these days to totally hide the fact
> that a site is using JSF, given a couple of other giveaways like the
> standard jsf AJAX script and known scripts and CSS styles from several
> popular component libraries. Some patterns like the form name as
> hidden parameter and the client ID pattern of components (even when
> the default colon separator is changed to something else) are hints as
> well.
>
> Kind regards,
> Arjan Tijms
>
>
>
>
> On Mon, Jan 12, 2015 at 5:16 PM, manfred riem <manfred.riem_at_oracle.com>
> wrote:
>
> Hi all,
>
> What is the general feeling about making the "javax.faces.ViewState" name
> configurable?
>
> Thoughts?
> Manfred
>
>
>