[ https://issues.apache.org/jira/browse/FLINK-35532?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Hong Liang Teoh updated FLINK-35532: ------------------------------------ Fix Version/s: 1.20.0 1.19.1 (was: 1.19.2) > Prevent Cross-Site Authentication (XSA) attacks on Flink dashboard > ------------------------------------------------------------------ > > Key: FLINK-35532 > URL: https://issues.apache.org/jira/browse/FLINK-35532 > Project: Flink > Issue Type: Technical Debt > Components: Runtime / Web Frontend > Affects Versions: 1.19.0, 1.19.1 > Reporter: Hong Liang Teoh > Assignee: Hong Liang Teoh > Priority: Minor > Labels: pull-request-available > Fix For: 1.20.0, 1.19.1 > > > As part of FLINK-33325, we introduced a new tab on the Flink dashboard to > trigger the async profiler on the JobManager and TaskManager. > > The HTML component introduced links out to async profiler page on Github -> > [https://github.com/async-profiler/async-profiler/wiki]. > However, the anchor element introduced does not follow best practices around > preventing XSA attacks, by setting up the below: > {code:java} > target="_blank" rel="noopener noreferrer"{code} > We should add these attributes as best practice! -- This message was sent by Atlassian Jira (v8.20.10#820010)