<div class="action-details"><span class="subText"><span class="date"></span></span> </div>
<div class="action-body">Committed. Hoping for some community feedback now. I'll make a forum post.<br><br>-Dan<br></div><br><div class="gmail_quote">On Thu, Mar 12, 2009 at 5:18 AM, Christian Bauer <span dir="ltr"><<a href="mailto:christian.bauer@gmail.com">christian.bauer@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><div class="im"><br>
On Mar 11, 2009, at 15:23 , Dan Allen wrote:<br>
<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Issue created and initial concept patch provided here <a href="https://jira.jboss.org/jira/browse/JBSEAM-4007" target="_blank">https://jira.jboss.org/jira/browse/JBSEAM-4007</a><br>
</blockquote>
<br></div>
The patch seems to be working as expected and I still can't see why it shouldn't work. ;) This is a nice solution that gives us independence from the HTTP session but CSRF protection.<br>
<br>
It won't work if the browser has cookies disabled. The best we can do in that situation is: The <s:token> should use JavaScript to detect if cookies are enabled and display a warning if not. We have to let users know after the first request if it works or not, can't wait for the second request to hit the server (with the cookies included).<br>
<br>
function checkCookieSupport() {<br>
if(!document.cookie) {<br>
jQuery("body")<br>
.prepend("<div class='cookieJavaScriptWarning'>" +<br>
"This website uses a cross-site scripting protection mechanism that requires" +<br>
"cookies to be enabled in your browser. See " +<br>
"<a href='<a href="http://seamframework.org/foo" target="_blank">http://seamframework.org/foo</a>'>this page</a> for more information." +<br>
"</div>");<br>
}<br>
}<br>
<br>
Optionally, we can also execute a WebRemote request to a new Seam resource that will log a WARN. I'm not sure how useful this is going to be though: There is nothing the developer can do and the operations guys probably don't care if someone disables cookies.<div>
<div></div><div class="h5"><br>
<br>
_______________________________________________<br>
seam-dev mailing list<br>
<a href="mailto:seam-dev@lists.jboss.org" target="_blank">seam-dev@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/seam-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/seam-dev</a><br>
</div></div></blockquote></div><br><br clear="all"><br>-- <br>Dan Allen<br>Senior Software Engineer, Red Hat | Author of Seam in Action<br><br><a href="http://mojavelinux.com">http://mojavelinux.com</a><br><a href="http://mojavelinux.com/seaminaction">http://mojavelinux.com/seaminaction</a><br>
<br>NOTE: While I make a strong effort to keep up with my email on a daily<br>basis, personal or other work matters can sometimes keep me away<br>from my email. If you contact me, but don't hear back for more than a week,<br>
it is very likely that I am excessively backlogged or the message was<br>caught in the spam filters. Please don't hesitate to resend a message if<br>you feel that it did not reach my attention.<br>