I'd be interested in feedback especially from Shane, who had some
questions about Seam Remoting and CSRF. I tried to explain it and show
why/how we have some missing features in this area. I think we need to
do something about it - like per-request tokens. However, we might
want to expand this feature as a general CSRF solution that also works
with the REST request processing, for example. (And Wicket forms?)
This feel off the back of the truck over the holiday break. Thanks for rekindling.
Dan, if you could add the current status of "stateless" view
processing in JSF 2.0 to the CSRF page, we can go from there and draft
some recommendations for users.
Every time I visit the JSF EG mailing list, this issue crosses my mind. I will add it to my agenda.