[
https://issues.apache.org/jira/browse/WICKET-3469?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Martijn Dashorst closed WICKET-3469.
------------------------------------
Resolution: Not A Problem
If you need a redirect, use a normal Link component instead. ExternalLink does
exactly what it is designed to do: render a <a href=""> for a normal URL.
You could add a attributemodifier to add a noreferrer tag to the link. See
http://www.whatwg.org/specs/web-apps/current-work/multipage/links.html#link-type-noreferrer
> Referrer Leaking with ExternalLink
> ----------------------------------
>
> Key: WICKET-3469
> URL: https://issues.apache.org/jira/browse/WICKET-3469
> Project: Wicket
> Issue Type: Bug
> Components: wicket
> Affects Versions: 1.4.15
> Reporter: Holger Jaekel
>
> When Cookies are turned off, the jsessionid is included in the URL of the
> wicket application, e.g.
> http://localhost:8080/wicket-app/;jsessionid=03A529631FB1B9BA35556EA02519DF99?x=cOa8p3ycZvK*eAoEOzxHjg
> ExternalLink renders links like <a href="http://www.google.de/";>Google</a>
> When the user clicks on such an external link, the browser puts the current
> URL (including the session id) into the Referrer HTTP header. This is an
> security issue. Instead, the ExternalLink should use a redirect to open the
> external url.
--
This message is automatically generated by JIRA.
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
