Many items point to another item for their values, images, and help messages. These items are considered related
. Related items include lists, popups, and comboboxes with cells, buttons and images, or any item linked to a help message. For the best security, when you sign an item, you must sign all related items.
If there is a conflict between signed and unsigned items, you must err on the side of signing. For example, you can omit a cell group for a popup, but if two popups use the same cell group and only one popup is signed, then the cell group should still be signed.
This is important to prevent accidental modification of the signed item. If a signature signs only one item in a related pair of items, the unsigned item can be modified. For example, someone could alter unsigned cell
information even when the related popup
item has been signed. As a result, the content of the form could be changed after the user has signed it.
While an omit filter automatically signs all items and options that you do not specifically exclude, keep filters must explicitly list all items and options you want to secure. Because related items often do not appear as separate items on the form, it is easy to neglect them in your keep filter. If you are using keep filters, always double-check that you are securing all related items. For example, images are stored in separate data items. Items that display images simply contain references to the data item. Therefore, if you secure a button using a keep filter but forget to secure the image data, the button's image is not secured and could be modified.
Assume you are creating a popup with the following two choices visible to the user:
"Please do not sell my personal information"
"You may sell my personal information"
When the users sign the form, the popup is secured with a keep
filter that does not specify the popup's cells.
Once a choice is selected, the scope identifier (sid) of the cell containing the choice is stored in the popup's value
option. In this example, assume the user chooses "Please do not sell my personal information". The sid of this choice is cell1
. The secured popup stores a reference to cell1 in it's value
option. This secures the sid of the popup, preventing users from selecting a new cell from the popup. However, the cell itself is not signed. A malicious user could open the form in a text editor and change the text contained in cell1 so that it no longer reflects the choice made by the user. For example, the cell's value could be changed to "You may sell my personal information". Anyone viewing the form after this alteration would think that the user permitted the company to sell her personal information.
Exceptions to this practice
There are no exceptions to this practice that you should consider
While there are no exceptions to this practice, you should be aware that conflict resolution between signed and unsigned items must err on the side of signing. For example, you can omit a cell group for a popup, but if two popups use the same cell group and only one popup is signed, then the cell group should still be signed.