svn commit: r1075017 - /wicket/branches/wicket-1.4.x/wicket/src/main/java/org/apache/wicket/markup/html/link/ExternalLink.java

Sun, 27 Feb 2011 02:13:36 -0800 

Author: mgrigorov
Date: Sun Feb 27 10:13:09 2011
New Revision: 1075017

URL: http://svn.apache.org/viewvc?rev=1075017&view=rev
Log:
WICKET-3469 Referrer Leaking with ExternalLink

Update the javadoc explaining how to link to external url without leaking the 
session id in the referrer header.


Modified:
    
wicket/branches/wicket-1.4.x/wicket/src/main/java/org/apache/wicket/markup/html/link/ExternalLink.java

Modified: 
wicket/branches/wicket-1.4.x/wicket/src/main/java/org/apache/wicket/markup/html/link/ExternalLink.java
URL: 
http://svn.apache.org/viewvc/wicket/branches/wicket-1.4.x/wicket/src/main/java/org/apache/wicket/markup/html/link/ExternalLink.java?rev=1075017&r1=1075016&r2=1075017&view=diff
==============================================================================
--- 
wicket/branches/wicket-1.4.x/wicket/src/main/java/org/apache/wicket/markup/html/link/ExternalLink.java
 (original)
+++ 
wicket/branches/wicket-1.4.x/wicket/src/main/java/org/apache/wicket/markup/html/link/ExternalLink.java
 Sun Feb 27 10:13:09 2011
@@ -22,6 +22,7 @@ import org.apache.wicket.markup.Componen
 import org.apache.wicket.markup.MarkupStream;
 import org.apache.wicket.model.IModel;
 import org.apache.wicket.model.Model;
+import org.apache.wicket.protocol.http.WebApplication;
 import org.apache.wicket.util.string.Strings;
 
 /**
@@ -33,8 +34,12 @@ import org.apache.wicket.util.string.Str
  * <p>
  * <strong>Note</strong>: in the case when the support for cookies in the 
browser is disabled the
  * user's jsessionid will leak in the 'Referrer' header after clicking this 
link. If this is a
- * problem for the application then better use {@link Link} which redirects to 
the new URL using
- * {@link RedirectToUrlException}.
+ * problem for the application then better use a {@link Link} which redirects 
to a shared resource
+ * (see
+ * {@link WebApplication#mountResource(String, 
org.apache.wicket.request.resource.ResourceReference)}
+ * , e.g. "/myapp/redirecting-resource?url=...") which on its side redirects 
to the new URL using
+ * {@link RedirectToUrlException}. Another option is to use 
<code>rel="noreferrer"</code> attribute
+ * in your markup but this will work only in the modern browsers (supporting 
HTML5 standard).
  * 
  * @author Juergen Donnerstag
  */

Reply via email to