Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix CSRF Vulnerability in HTML5 Template #39

Open
tajmone opened this issue Nov 30, 2019 · 1 comment
Open

Fix CSRF Vulnerability in HTML5 Template #39

tajmone opened this issue Nov 30, 2019 · 1 comment
Labels
🕑 pending decision Issue requires decisions by maintainers 👑 HTML Issues with conversion to HTML format 👑 WWW Issues with online book via GitHub Pages 💀 SECURITY Security vulnerability issues ⚠️ important Priority: High

Comments

@tajmone
Copy link
Owner

tajmone commented Nov 30, 2019

POSTPONEDThis problem should really be fixed on Asciidoctor, not here.

Fix a security issue in Asciidoctor default HTML5 template, unless the problem is fixed before The Hugo Book is publicly released.

I've just discovered that the HTML5 template is vulnerable to CSRF attacks (Cross-site request forgery) due to lack of the SameSite attribute for cross-site cookies settings, and opened an Issue for this (see asciidoctor/asciidoctor#3496).

If the problem is not fixed before the book is released, I should fix this by adding a custom Haml template or inject a fix in the HTML header.

References

For a detailed introduction to the nature of the CSRF attack problem, and its solution, see:

@tajmone tajmone added ⚠️ important Priority: High 👑 HTML Issues with conversion to HTML format 🕑 pending decision Issue requires decisions by maintainers 👑 WWW Issues with online book via GitHub Pages 💀 SECURITY Security vulnerability issues labels Nov 30, 2019
@tajmone
Copy link
Owner Author

tajmone commented Dec 22, 2019

I've removed this Issue from the pending tasks of the 1st release and postponed it to the Long Term project board. This is really something that should be solved upstream on the Asciidoctor project, rather than tweaking the HAML templates here.

Besides, this shouldn't affect our project because GitHub Pages offer secure HTTPS protocol.

I'm keeping this Issue open because so far no one replied at Asciidoctor to the Issue I've filed on this problem. If no action is taken upstream I'll have to eventually consider solving the problem locally, but for now let's just wait and see.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
🕑 pending decision Issue requires decisions by maintainers 👑 HTML Issues with conversion to HTML format 👑 WWW Issues with online book via GitHub Pages 💀 SECURITY Security vulnerability issues ⚠️ important Priority: High
Projects
None yet
Development

No branches or pull requests

1 participant