Browsing the livesites, on a whim I tried this URL: http://dir.salon.com/?cocoon-view=content
and it worked! Obviously someone deploying Cocoon should be aware that this view is "on" by default, and may reveal data in your page you might not want. I have yet to see "bad" data get exposed, but there's always the possibility. Do we want the views turned off by default, and have a message in the sitemap about enabling the views? Would it make more sense to have thename of the "cocoon-view" parameter be able to be changed via configuration? Say I wanted the parameter to be my-view instead of cocoon-view. Security through obscurity? Tony