[ https://issues.apache.org/jira/browse/WICKET-3469?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12998071#comment-12998071 ]
Holger Jaekel commented on WICKET-3469: --------------------------------------- If you see ExternalLink just as a class for rendering a simple anchor link, you are correct. ExternalLink does exactly what it is supposed to do. I was thinking of ExternalLink as the recommended way of including links to external URLs into an application. The compnent reference says: "External links take you outside the scope of Wicket. They can come in handy when you keep your links e.g. in a database." But the usage of ExternalLink for external links cannot be recommendet because it is possible that the jsessionid is leaked to the external site. So maybe wicket should offer a secure way of including external links into an application. Using normal Links and creating the redirects in the application code is just a workaround. Using noreferrer is HTML5, which is still a draft. > Referrer Leaking with ExternalLink > ---------------------------------- > > Key: WICKET-3469 > URL: https://issues.apache.org/jira/browse/WICKET-3469 > Project: Wicket > Issue Type: Bug > Components: wicket > Affects Versions: 1.4.15 > Reporter: Holger Jaekel > Attachments: WICKET-3469.zip > > > When Cookies are turned off, the jsessionid is included in the URL of the > wicket application, e.g. > http://localhost:8080/wicket-app/;jsessionid=03A529631FB1B9BA35556EA02519DF99?x=cOa8p3ycZvK*eAoEOzxHjg > ExternalLink renders links like <a href="http://www.google.de/">Google</a> > When the user clicks on such an external link, the browser puts the current > URL (including the session id) into the Referrer HTTP header. This is an > security issue. Instead, the ExternalLink should use a redirect to open the > external url. -- This message is automatically generated by JIRA. - For more information on JIRA, see: http://www.atlassian.com/software/jira