Committed. Hoping for some community feedback now. I'll make a forum post.
-Dan
On Thu, Mar 12, 2009 at 5:18 AM, Christian Bauer
<christian.bauer@gmail.com> wrote:
The patch seems to be working as expected and I still can't see why it shouldn't work. ;) This is a nice solution that gives us independence from the HTTP session but CSRF protection.
It won't work if the browser has cookies disabled. The best we can do in that situation is: The <s:token> should use JavaScript to detect if cookies are enabled and display a warning if not. We have to let users know after the first request if it works or not, can't wait for the second request to hit the server (with the cookies included).
function checkCookieSupport() {
if(!document.cookie) {
jQuery("body")
.prepend("<div class='cookieJavaScriptWarning'>" +
"This website uses a cross-site scripting protection mechanism that requires" +
"cookies to be enabled in your browser. See " +
"<a href='http://seamframework.org/foo'>this page</a> for more information." +
"</div>");
}
}
Optionally, we can also execute a WebRemote request to a new Seam resource that will log a WARN. I'm not sure how useful this is going to be though: There is nothing the developer can do and the operations guys probably don't care if someone disables cookies.
--
Dan Allen
Senior Software Engineer, Red Hat | Author of Seam in Action
http://mojavelinux.com
http://mojavelinux.com/seaminaction
NOTE: While I make a strong effort to keep up with my email on a daily
basis, personal or other work matters can sometimes keep me away
from my email. If you contact me, but don't hear back for more than a week,
it is very likely that I am excessively backlogged or the message was
caught in the spam filters. Please don't hesitate to resend a message if
you feel that it did not reach my attention.