[
https://issues.apache.org/jira/browse/MYFACES-3639?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13995012#comment-13995012
]
Leonardo Uribe commented on MYFACES-3639:
-----------------------------------------
I have checked the problem and I founded an interesting paper about it:
http://w2spconf.com/2010/papers/p25.pdf
I think it has sense to enable it, but it is something trivial, because what
really matters in jsf is the view state token (even if you have the flash
token, it is only valid per session and you still need the view state, which is
in a hidden input field). I have seen the following issue on the spec:
https://java.net/jira/browse/JAVASERVERFACES_SPEC_PUBLIC-1201
It is set to be fixed on 2.3 as trivia, but I have notice the issue was fixed
in some point of JSF 2.2. See:
https://java.net/jira/browse/JAVASERVERFACES-2911
If it was fixed in Mojarra 2.2.1, we should fix it in MyFaces 2.2. I think we
have not fixed it before because this is something that should be done in the
spec, so we should not fix it in 2.0/2.1.
> The flash scope cookie is not HttpOnly
> --------------------------------------
>
> Key: MYFACES-3639
> URL: https://issues.apache.org/jira/browse/MYFACES-3639
> Project: MyFaces Core
> Issue Type: Improvement
> Components: General
> Affects Versions: 2.1.9
> Reporter: David Gadbois
> Priority: Minor
> Attachments: MyFaces-3639Pathv2.0.patch, MyFaces-3639Pathv2.1.patch
>
>
> The oam.Flash.RENDERMAP.TOKEN cookie does not have the HttpOnly flag set.
> Many security policies require that cookies have HttpOnly set if possible.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
