[
https://issues.apache.org/jira/browse/DELTASPIKE-752?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14185046#comment-14185046
]
Heiko Kopp commented on DELTASPIKE-752:
---------------------------------------
Hehe I'm not sure as well, the code is a long running application. Maybe
someone somehow thought it would be a good idea to do so. Originally i think
one wanted to make sure only a single window is open for the application and
subsequent calls overwrite the old version. By using window.name, the window is
no longer opened a second time but replaces the old one.
As we are now using DeltaSpike and changed the application to be able to open
multiple windows, this is no longer needed.
I was just a bit confused with the repeatedly reload of all pages in LAZY mode.
It is not really obvious to the DeltaSpike user, that by using window.name in
the application, this breaks windowId recognition in LAZY mode, if the
combination of window.name + windowId > 10 characters. I got that now, changed
the application so it does no longer use the window name and voilá, it works
again and still is secure which will please our security team :-P
> ensure a secure maximum length of the window-id
> -----------------------------------------------
>
> Key: DELTASPIKE-752
> URL: https://issues.apache.org/jira/browse/DELTASPIKE-752
> Project: DeltaSpike
> Issue Type: Bug
> Components: JSF-Module, JSF22-Module
> Affects Versions: 1.0.3
> Reporter: Heiko Kopp
> Priority: Critical
> Fix For: 1.0.4
>
>
> if the window-id is too long, we would need to escape it to avoid XSS.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
