[
https://issues.apache.org/jira/browse/WICKET-3469?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12998239#comment-12998239
]
Martijn Dashorst commented on WICKET-3469:
------------------------------------------
-1 to serverside events with this component. That would break so many
applications that would not be funny.
External link is nothing more than providing your markup with URLs from Java
code. Similar to just having a <a href="http://google.com";> in your markup. We
are not going to fix those as well, nor webmarkupcontainers that have an
attribute modifier to provide a href attribute, nor webmarkupcontainers that
override onComponentTag and put a href attribute.
> Referrer Leaking with ExternalLink
> ----------------------------------
>
> Key: WICKET-3469
> URL: https://issues.apache.org/jira/browse/WICKET-3469
> Project: Wicket
> Issue Type: Bug
> Components: wicket
> Affects Versions: 1.4.15
> Reporter: Holger Jaekel
> Assignee: Martin Grigorov
> Attachments: WICKET-3469.zip
>
>
> When Cookies are turned off, the jsessionid is included in the URL of the
> wicket application, e.g.
> http://localhost:8080/wicket-app/;jsessionid=03A529631FB1B9BA35556EA02519DF99?x=cOa8p3ycZvK*eAoEOzxHjg
> ExternalLink renders links like <a href="http://www.google.de/";>Google</a>
> When the user clicks on such an external link, the browser puts the current
> URL (including the session id) into the Referrer HTTP header. This is an
> security issue. Instead, the ExternalLink should use a redirect to open the
> external url.
--
This message is automatically generated by JIRA.
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
