Fix CSRF Vulnerability in HTML5 Template #39
Labels
🕑 pending decision
Issue requires decisions by maintainers
👑 HTML
Issues with conversion to HTML format
👑 WWW
Issues with online book via GitHub Pages
💀 SECURITY
Security vulnerability issues
⚠️ important
Priority: High
Fix a security issue in Asciidoctor default HTML5 template, unless the problem is fixed before The Hugo Book is publicly released.
I've just discovered that the HTML5 template is vulnerable to CSRF attacks (Cross-site request forgery) due to lack of the
SameSite
attribute for cross-site cookies settings, and opened an Issue for this (see asciidoctor/asciidoctor#3496).If the problem is not fixed before the book is released, I should fix this by adding a custom Haml template or inject a fix in the HTML header.
References
For a detailed introduction to the nature of the CSRF attack problem, and its solution, see:
The text was updated successfully, but these errors were encountered: