New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Remove back end assets from public front end auth pages #592
Comments
Leaving in assets for now |
This change removes back end hooks from public auth pages to prevent data leakage and unintended consequences via bad plugin programming. Now I would like to allow plugins to continue to modify these pages for custom login stuff, but I do not want to switch them to front end hooks as our template system does not support auth pages yet. Perhaps we should add specific headers for public auth pages. This includes Index and resetpassword pages. |
NOTE: These pages were never consistent to begin with, hooks were executed on resetpassword but not login, so now they match to neither execute backend hooks for reasoning that they are not back end pages, even if they are not front end either. They also had css hidden footers and other crap in them. |
From hameau Will have to obfuscate these or remove them, I do not believe anything indexes assets, but a security scanner could be made to sniff these out and log them. |
Remove
The text was updated successfully, but these errors were encountered: