[seam-dev] JSF and CSRF
Dan Allen
dan.j.allen at gmail.com
Thu Apr 2 18:53:45 EDT 2009
Committed. Hoping for some community feedback now. I'll make a forum post.
-Dan
On Thu, Mar 12, 2009 at 5:18 AM, Christian Bauer
<christian.bauer at gmail.com>wrote:
>
> On Mar 11, 2009, at 15:23 , Dan Allen wrote:
>
> Issue created and initial concept patch provided here
>> https://jira.jboss.org/jira/browse/JBSEAM-4007
>>
>
> The patch seems to be working as expected and I still can't see why it
> shouldn't work. ;) This is a nice solution that gives us independence from
> the HTTP session but CSRF protection.
>
> It won't work if the browser has cookies disabled. The best we can do in
> that situation is: The <s:token> should use JavaScript to detect if cookies
> are enabled and display a warning if not. We have to let users know after
> the first request if it works or not, can't wait for the second request to
> hit the server (with the cookies included).
>
> function checkCookieSupport() {
> if(!document.cookie) {
> jQuery("body")
> .prepend("<div class='cookieJavaScriptWarning'>" +
> "This website uses a cross-site scripting protection
> mechanism that requires" +
> "cookies to be enabled in your browser. See " +
> "<a href='http://seamframework.org/foo'>this page</a>
> for more information." +
> "</div>");
> }
> }
>
> Optionally, we can also execute a WebRemote request to a new Seam resource
> that will log a WARN. I'm not sure how useful this is going to be though:
> There is nothing the developer can do and the operations guys probably don't
> care if someone disables cookies.
>
>
> _______________________________________________
> seam-dev mailing list
> seam-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/seam-dev
>
--
Dan Allen
Senior Software Engineer, Red Hat | Author of Seam in Action
http://mojavelinux.com
http://mojavelinux.com/seaminaction
NOTE: While I make a strong effort to keep up with my email on a daily
basis, personal or other work matters can sometimes keep me away
from my email. If you contact me, but don't hear back for more than a week,
it is very likely that I am excessively backlogged or the message was
caught in the spam filters. Please don't hesitate to resend a message if
you feel that it did not reach my attention.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/seam-dev/attachments/20090402/3e33687a/attachment.html
More information about the seam-dev
mailing list