Message below got bounced back to me...
On Fri, Oct 5, 2012 at 3:49 PM, Justin Edelson <jus...@justinedelson.com> wrote: > > Hi Michael, > > Thanks for bringing this back up. I see the thread died off without > resolution (probably my fault). > > On Fri, Oct 5, 2012 at 1:36 PM, Michael Marth <mma...@adobe.com> wrote: >> >> Hi Justin, >> >> > This is obviously not backwards compatible. I'm unclear on the use case >> > for >> > configurability as logout is idempotent. >> >> >> judging from the respective sending times your mail might have been sent >> before you read Antonio's explanation about the <img> attack. > > > Indeed, although I think the author of > http://duruk.net/some-web-development-tips/ and I may have different > definitions of impotency :) > > Regardless, I'm happy to see this be configurable. Created > https://issues.apache.org/jira/browse/SLING-2615 for it. > > I'm still unsure about changing the default, but I'll change my vote to a > -0 on that :) > > Justin > >> >> >> I think if Sling itself does not change the defaults at least Sling users >> should be able to do so. >> (+1 on making this configurable) >> >> >> Personally, I think security problems allow for API changes (at least of >> this scope), so I would even change the default in Sling. >> >> >> Michael > >
