Fix CSRF Vulnerability in HTML5 Template

[tajmone]

POSTPONED — This problem should really be fixed on Asciidoctor, not here.

Fix a security issue in Asciidoctor default HTML5 template, unless the problem is fixed before The Hugo Book is publicly released.

I've just discovered that the HTML5 template is vulnerable to CSRF attacks (Cross-site request forgery) due to lack of the SameSite attribute for cross-site cookies settings, and opened an Issue for this (see asciidoctor/asciidoctor#3496).

If the problem is not fixed before the book is released, I should fix this by adding a custom Haml template or inject a fix in the HTML header.

References

For a detailed introduction to the nature of the CSRF attack problem, and its solution, see:

• HTML5 Template Vulnerable to CSRF Attacks asciidoctor/asciidoctor#3496 — HTML5 Template Vulnerable to CSRF Attacks
• SameSite cookies explained, by Rowan Merewood.
• Chrome Platform Status » Cookies default to SameSite=Lax
• Chrome Platform Status » Reject insecure SameSite=None cookies

[tajmone]

I've removed this Issue from the pending tasks of the 1st release and postponed it to the Long Term project board. This is really something that should be solved upstream on the Asciidoctor project, rather than tweaking the HAML templates here.

Besides, this shouldn't affect our project because GitHub Pages offer secure HTTPS protocol.

I'm keeping this Issue open because so far no one replied at Asciidoctor to the Issue I've filed on this problem. If no action is taken upstream I'll have to eventually consider solving the problem locally, but for now let's just wait and see.