Hong Liang Teoh created FLINK-35532: ---------------------------------------
Summary: Prevent Cross-Site Authentication (XSA) attacks on Flink dashboard Key: FLINK-35532 URL: https://issues.apache.org/jira/browse/FLINK-35532 Project: Flink Issue Type: Technical Debt Components: Runtime / Web Frontend Affects Versions: 1.19.0, 1.19.1 Reporter: Hong Liang Teoh Assignee: Hong Liang Teoh Fix For: 1.19.2 As part of FLINK-33325, we introduced a new tab on the Flink dashboard to trigger the async profiler on the JobManager and TaskManager. The HTML component introduced links out to async profiler page on Github -> [https://github.com/async-profiler/async-profiler/wiki]. However, the anchor element introduced does not follow best practices around preventing XSA attacks, by setting up the below: {code:java} target="_blank" rel="noopener noreferrer"{code} We should add these attributes as best practice! -- This message was sent by Atlassian Jira (v8.20.10#820010)