Committed. Hoping for some community feedback now. I'll make a forum post.
-Dan
On Thu, Mar 12, 2009 at 5:18 AM, Christian Bauer
<christian.bauer(a)gmail.com>wrote:
On Mar 11, 2009, at 15:23 , Dan Allen wrote:
Issue created and initial concept patch provided here
>
https://jira.jboss.org/jira/browse/JBSEAM-4007
>
The patch seems to be working as expected and I still can't see why it
shouldn't work. ;) This is a nice solution that gives us independence from
the HTTP session but CSRF protection.
It won't work if the browser has cookies disabled. The best we can do in
that situation is: The <s:token> should use JavaScript to detect if cookies
are enabled and display a warning if not. We have to let users know after
the first request if it works or not, can't wait for the second request to
hit the server (with the cookies included).
function checkCookieSupport() {
if(!document.cookie) {
jQuery("body")
.prepend("<div class='cookieJavaScriptWarning'>" +
"This website uses a cross-site scripting protection
mechanism that requires" +
"cookies to be enabled in your browser. See " +
"<a
href='http://seamframework.org/foo'>this
page</a>
for more information." +
"</div>");
}
}
Optionally, we can also execute a WebRemote request to a new Seam resource
that will log a WARN. I'm not sure how useful this is going to be though:
There is nothing the developer can do and the operations guys probably don't
care if someone disables cookies.
_______________________________________________
seam-dev mailing list
seam-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/seam-dev
--
Dan Allen
Senior Software Engineer, Red Hat | Author of Seam in Action
http://mojavelinux.com
http://mojavelinux.com/seaminaction
NOTE: While I make a strong effort to keep up with my email on a daily
basis, personal or other work matters can sometimes keep me away
from my email. If you contact me, but don't hear back for more than a week,
it is very likely that I am excessively backlogged or the message was
caught in the spam filters. Please don't hesitate to resend a message if
you feel that it did not reach my attention.