Hong Liang Teoh created FLINK-35532:
---------------------------------------
Summary: Prevent Cross-Site Authentication (XSA) attacks on Flink
dashboard
Key: FLINK-35532
URL: https://issues.apache.org/jira/browse/FLINK-35532
Project: Flink
Issue Type: Technical Debt
Components: Runtime / Web Frontend
Affects Versions: 1.19.0, 1.19.1
Reporter: Hong Liang Teoh
Assignee: Hong Liang Teoh
Fix For: 1.19.2
As part of FLINK-33325, we introduced a new tab on the Flink dashboard to
trigger the async profiler on the JobManager and TaskManager.
The HTML component introduced links out to async profiler page on Github ->
[https://github.com/async-profiler/async-profiler/wiki].
However, the anchor element introduced does not follow best practices around
preventing XSA attacks, by setting up the below:
{code:java}
target="_blank" rel="noopener noreferrer"{code}
We should add these attributes as best practice!
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
