The recent change to defer building the entire component tree until the render
response phase so only the metadata facet is built during the restore view has
caused the build during restore on postback feature of Facelets to be
deactivated. The plan was to have this feature be the default in JSF 2.0. When
this build occurs, there should be no special handling for the metadata facet
since the assumption is that the build is taking place because the existing one
could not be properly restored (either because it no longer exists in the
session or the session ended).
We have to be careful enabling this feature though, because it compromises the
basic contract of JSF that says the user must first see a view rendered by the
JSF application before being allowed to trigger an event. Once the build during
restore is enabled, it's possible to submit a form in a plain HTML page into the
JSF application without any verification of the source. It's crucial that the
enablement of this feature be accompanied by a secure token being exchanged in
the case of server-side state saving.
It should also be noted that we should really think about generating a more
secure token for the value of the javax.faces.ViewState token used in
server-side saving. The token is entirely too predictable, setting up a
situation where the user's session can be easily hijacked. (The token is
currently "j_id" + number of views in the session).