So what are we going to do about this? I think we should do two things: the first one is bind the continuations to the sitemap where they were created. This should be a simple thing (hopefully). This will fix most problems.
In addition (as a second step), we can add the continuations to the session (as an option) - this will then fix all security problems. But I think we should really do the first step as well as it simply wrong to continue a script in a sitemap where it hasn't been declared - and as soon as the flow script tries to address relative resources it won't work anyway. Carsten
