Enucatl commented on issue #49495: URL: https://github.com/apache/airflow/issues/49495#issuecomment-3027843221
If it's as bad, at least people are used to how that worked in airflow 2, with their authentication setups, mitigation measures etc. Then why are we changing for no benefit? But I would argue the current proposal is in fact significantly worse: if the airflow token is stolen from the URL, you can get access to airflow and do something there. Usually not a lot. When I logged into airflow from my single sign-on portal, that set a cookie **that is valid across any internal services** at subdomain.domain.com. Unlocking that to javascript everywhere opens a vastly larger attack surface, that can be exploited not only by rogue dependencies of airflow, but potentially anything running under the same domain. That is a key reason for insisting on HttpOnly cookies as a general practice. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
