Howard Lewis Ship <hlship <at> gmail.com> writes: > All client state for a single page is organized into a single object > that tracks triads of componentIdPath, propertyName and value. These > triads are serialized to an ObjectOutputStream and gzip compressed > (*), then MIME encoded. Only a very dedicated hacker would be able to > spoof that information in the URLs ... but because of HiveMind you > could create your own implementation that added some form of encoding.
I think this will be a necessity for this feature to be used in a public production app. It isn't that difficult to encode such a object, in particular when the Tapestry source is available to anyone. I'm grateful for the wonderful work that you've been doing with Tapestry and understand that your time is limited, but if this (authencity check) can't be implemented yet when this client side persistence feature is made available, please at least document the security risk involved so that the app developer can make his own informed decision. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
