tapestry-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ben Gidley (JIRA)" <j...@apache.org>
Subject [jira] Commented: (TAP5-874) Add t:secure to Form component
Date Mon, 05 Oct 2009 07:41:31 GMT

    [ https://issues.apache.org/jira/browse/TAP5-874?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12762109#action_12762109

Ben Gidley commented on TAP5-874:

Although this is a nice feature it is a security risk.

A man in the middle could change the posting path for the login form to their own site and
harvest usernames/passwords. This doesn't mean it shouldn't be implemented but if it is the
docs should warn about this risk. A site requiring strong security (e.g. banking/payments)
shouldn't use this pattern. 

> Add t:secure to Form component
> ------------------------------
>                 Key: TAP5-874
>                 URL: https://issues.apache.org/jira/browse/TAP5-874
>             Project: Tapestry 5
>          Issue Type: Improvement
>          Components: tapestry-core
>    Affects Versions:
>            Reporter: Olle Hallin
>            Priority: Minor
> It would be nice if one could make a <t:form> post to SSL by specifying t:secure="true"
on the form component.
> It is a quite common design pattern nowadays to have a login form on each page. It is
mostly not necessary however to access all pages via https.

This message is automatically generated by JIRA.
You can reply to this email to add a comment to the issue online.

View raw message