[
https://issues.apache.org/jira/browse/WICKET-3469?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12998223#comment-12998223
]
Martin Grigorov commented on WICKET-3469:
-----------------------------------------
I tend to agree with Holger.
With the current impl of ExternalLink Wicket provides a component which is
vulnerable (session hijacking thru referer) in certain circumstances (disabled
cookies).
A real fix would be to reimplement ExternalLink to normal Link which redirects
in its onClick(). If this is not acceptable then we can at least mention this
possible problem in the javadoc and add 'rel="noreferrer"' attribute so at
least new browsers can help preventing this security hole.
> Referrer Leaking with ExternalLink
> ----------------------------------
>
> Key: WICKET-3469
> URL: https://issues.apache.org/jira/browse/WICKET-3469
> Project: Wicket
> Issue Type: Bug
> Components: wicket
> Affects Versions: 1.4.15
> Reporter: Holger Jaekel
> Attachments: WICKET-3469.zip
>
>
> When Cookies are turned off, the jsessionid is included in the URL of the
> wicket application, e.g.
> http://localhost:8080/wicket-app/;jsessionid=03A529631FB1B9BA35556EA02519DF99?x=cOa8p3ycZvK*eAoEOzxHjg
> ExternalLink renders links like <a href="http://www.google.de/";>Google</a>
> When the user clicks on such an external link, the browser puts the current
> URL (including the session id) into the Referrer HTTP header. This is an
> security issue. Instead, the ExternalLink should use a redirect to open the
> external url.
--
This message is automatically generated by JIRA.
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
