Visibily: maybe a security breach?

Hi

I want to know which is the outcome of changing the visibility of a component. I think there are two posibilities:

  1. change the CSS visibility attribute

  2. create / erase the component in the browser

Option 1 is the easiest and quickest, but it exposes information in the browser that can be a security breach

Option 2 is the safest and lightest for the browser

If the choice is #1, the only way to keep the aplication safe is to destroy or rebuild components or layouts. And that may affect performance due to load in the server, communications and browser.

Which is the Vaadin choice? How to avoid that security breaches and not to overload server, browser and channel?

Thanks

I recall that changing visibility rips the component out of the DOM tree, making it the more secure option - equivalent with doing a removeComponent().

I’m not 100% however, so I’ll have to check the code to see what it does. Easiest way to check this would be to use Firefox Firebug, Internet Explorer Developer Tools, Chome Inspector etc. and check what happens in the html when you run setVisible(false)

I was, in fact, completely wrong. Did a little test and I could see the visible(false) - component from the DOM tree. Sorry.


public class VaadintestApplication extends Application implements ClickListener {

	private static final long serialVersionUID = 2915937050180006407L;
	private Label label;

	@Override
	public void init() {
		Window mainWindow = new Window("Peppe's playground");
		setMainWindow(mainWindow);

		label = new Label("Look at me disappearing!");
		Button button = new Button("Do the magic", this);

		mainWindow.addComponent(label);
		mainWindow.addComponent(button);
	}

	public void buttonClick(ClickEvent event) {
		if (label.isVisible()) {
			label.setVisible(false);
		} else {
			label.setVisible(true);
		}
	}
}

From the image you can see that the hidden label has got the css tag display:none and it is hidden because of this.

Just to add, both setting component.setVisible(false) and component.setEnabled(false) disable the component. Vaadin framework blocks all the events to disabled components. Even if one could trick the browser to send events to disabled (or hidden) components, Vaadin framework would block those events.

And to answer to your question - setVisible(false) is the correct way to go.