[
https://issues.apache.org/jira/browse/TAP5-874?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12762109#action_12762109
]
Ben Gidley commented on TAP5-874:
---------------------------------
Although this is a nice feature it is a security risk.
A man in the middle could change the posting path for the login form to their
own site and harvest usernames/passwords. This doesn't mean it shouldn't be
implemented but if it is the docs should warn about this risk. A site requiring
strong security (e.g. banking/payments) shouldn't use this pattern.
> Add t:secure to Form component
> ------------------------------
>
> Key: TAP5-874
> URL: https://issues.apache.org/jira/browse/TAP5-874
> Project: Tapestry 5
> Issue Type: Improvement
> Components: tapestry-core
> Affects Versions: 5.1.0.5
> Reporter: Olle Hallin
> Priority: Minor
>
> It would be nice if one could make a <t:form> post to SSL by specifying
> t:secure="true" on the form component.
> It is a quite common design pattern nowadays to have a login form on each
> page. It is mostly not necessary however to access all pages via https.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
