I'm experiencing problems when using the page flow controller with Orbeon in no-script mode (just have a look at the ATM example in no-script mode). Could you let me know if there's a way to make this work, aside from switching to script-mode? TIA.

Because of the problem mentioned above I've decided to switch to using submissions (with replace=all) from my xform in order to navigate from one xform to the other. This works fine, but made me think of the fact that the instance data passed in to a form can be submitted from any client, so there is no way to make sure that the data received in form2 was submitted by form1 (or at least the same orbeon server). Meaning that a hacker with knowledge of the used datamodel, can fake the instance dat we use to build our form (or submit to out pipeline). Am I correct?

I would like to know if Orbeon comes with a solution to this problem (aside from fixing things through apache, url-rewriting, checking the remote-host or chaning the business logic), like only allow local-submissions to generate instance data, or maybe have the xforms server sign (using xml-dsig or something) and validate the submitted instance data to make sure it came from the same xforms-server. Please let me know if there's a solution to this already, or if I'm making the wrong assumptions. If not, I'd be happy to contribute something to fix this, let me know...

Regards,

Jasper