Apache Wicket's encrypted URLs don't protect from CSRF | Dark Hacker News