Hi, some months ago, i developed a own client window handling for a ASP.NETapplication.
It's like a mix of LAZY and CLIENTWINDOW -> IMO it's completely safe but the windowhandler.html streaming is reduced to a minimum. The main concept behind it is -> the windowId will not be rendered for links. All link onclick's will be overwritten, a validation cookie will be stored before the redirect and the redirect will be done via js: window.location = window.location + window.deltaspikeJsWindowId; Therefore, "open in new window" will work normally as the windowId is not rendered to the URL. The windowhandler.html will only be streamed for GET requests if a windowId is available and no or a invalid cookie is available. ExternalContext#redirect will still append to windowId to the redirect URL. A rough workflow/overview: GET request: without windowId: generate new windowId render script with new windowId add hidden inputs to form overwrite onclick on all links -> window.location == element.href + currentWindowId; with windowId and invalid/no cookie: stream windowHandler html compare window.name and windowId -> windowId == windowName -> set cookie and redirect refresh window.name == "" || windowId != windowName -> remove windowId from URL and refresh with windowId and valid cookie: reuse windowId render script with new windowId add hidden inputs to form overwrite onclick on all links -> window.location == element.href + currentWindowId; POST: get windowId from post param Hopefully i explained all details (and correctly) - it's already late for friday ;) WDYT? Regards, Thomas