Referrer Leaking with ExternalLink ---------------------------------- Key: WICKET-3469 URL: https://issues.apache.org/jira/browse/WICKET-3469 Project: Wicket Issue Type: Bug Components: wicket Affects Versions: 1.4.15 Reporter: Holger Jaekel
When Cookies are turned off, the jsessionid is included in the URL of the wicket application, e.g. http://localhost:8080/wicket-app/;jsessionid=03A529631FB1B9BA35556EA02519DF99?x=cOa8p3ycZvK*eAoEOzxHjg ExternalLink renders links like <a href="http://www.google.de/">Google</a> When the user clicks on such an external link, the browser puts the current URL (including the session id) into the Referrer HTTP header. This is an security issue. Instead, the ExternalLink should use a redirect to open the external url. -- This message is automatically generated by JIRA. - For more information on JIRA, see: http://www.atlassian.com/software/jira