Description
I just wanted to make you aware of the following security issue in conjunction with the includeViewParameters navigation parameter. It seems it is also reproducible with MyFaces:
http://java.net/jira/browse/JAVASERVERFACES-2247
I'm not sure which workaround would be best in accordance with the Spec, but at least a quick fix might be worth considering to improve the security of the default behavior.