[jsr-314-open] JSF 2.1 ajax spec enhancements - runscripts/applystyles

Wed Jan 20 15:00:37 EST 2010

On Tue, Jan 19, 2010 at 7:13 PM, Jim Driscoll <Jim.Driscoll at sun.com> wrote:

> Ganesh -
>
> As far as I know, the runscripts behavior is the same between MyFaces and
> Mojarra - what's the difference that you are speaking of?  Werner and I
> collaborated a bit during beta to make sure they were the same...
>
> Thus, I'm confused by your contention in the bug:
>
> https://javaserverfaces-spec-public.dev.java.net/issues/show_bug.cgi?id=724
>
> That:
>
> MyFaces 2.0 does execute script, Mojarra doesn't, spec needs to clarify for
> unification
>
> Agree that this needs to be in the spec.  It's omission was an oversight.
>
> As for applying styles:
>
> The <style> tag is only valid in the <head> - and we do not apply stuff in
> the head right now - mostly because there are just so very many bugs when
> doing so.
>

Actually the head changing is not really possible afair as I can remember
our discussions and my testing on many browsers. So far only some IE
versions and Mozilla do some degree under some conditions allow that.

> So, this may be surfacing a more major lack in the spec than just styles.
>
> Jim
>
>
> On 12/22/09 12:26 PM, Ganesh wrote:
>
>> no, these aren't attributes. If XHTML that comes in via xhr
>> contains scripts these *always* need to be executed and
>> styles need to be *always* applied. Some browsers in combination with
>> some replacement methods already do this for us, some don't, so we need
>> to take action.
>>
>> I cannot see the security hole with this as some browsers
>> actually do it. Can you make up a setup that illustrates
>> the hole?
>>
>> Best regards,
>> Ganesh
>>
>>> There are also 2 functional clarifications I want to propose.
>>> Mojarra and MyFaces partly differ in this, so I think we need to
>>> clarify.
>>>
>>>
>>> Sorry, I'm confused. Are runscripts and applystyles f:ajax tag
>>> attributes? If so, do the attributes affect only the Ajax request that
>>> f:ajax fires, or is it an app-wide setting for all Ajax requests?
>>>
>>> runscripts: If a piece of XHTML comes in via xhr and contains
>>> <script> tags the ajax engine should automatically trigger execution of
>>> these scripts. This is important if you want to replace a js function
>>> or if the scripts somehow initialize UI elements. It depends on a
>>> combination of the js replacement code
>>> (innerHTML/adjacentHTML/contextualFragment/...) and the browser
>>> platform whether the browsers automatically run these scripts,
>>> IE mostly doesn't run them FF mostly does so. The ajax engine should
>>> know whether the browser does automatically run the scripts and if it
>>> doesn't they should be triggered via js.
>>>
>>>
>>> I understand the desire for this, but this opens a pretty big security
>>> hole, doesn't it? Do we need to do anything about that?
>>>
>>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/jsr-314-open-mirror/attachments/20100120/dbfd9843/attachment.html 