[seam-dev] XSRF and JSF2
Christian Bauer
christian.bauer at gmail.com
Tue Sep 30 12:01:48 EDT 2008
Because it is back on Slashdot again today, I remembered why the
"let's automatically build a view if we don't have one in RESTORE VIEW
phase" proposal in JSF 2.0 was not sitting right with me.
You need a little background on XSRF (Wikipedia or something) and see
the older discussion here and especially my last comment:
http://www.seamframework.org/Community/IsSeamRemotingVulnerableToCrossSiteRequestForgery
I actually now think that we should have a cryptographically strong
(and of course mandatory) view identifier for better XSRF protection.
There are some other solutions worth discussing but AFAIK most of the
good ones involve a token/session mapping of some kind, so we run into
the "view has expired" problem again.
More information about the seam-dev
mailing list