On Wed, May 13, 2009 at 4:51 AM, Paul Lindner <lind...@inuus.com> wrote: > Moving the security token to the hash does not fix this problem. You will > still leak that information.
Yoichiro is right, the security token does not leak in the referer if it is placed in the fragment. One fix for this is to pass a short-lived security token in the URL (1 minute, say) and return a long-lived security token in the body of the page. If you implement a custom security token decoder in shindig it's pretty easy to do this, just implement SecurityToken.getUpdatedToken.
