When submitting the following build manifest (which I guess is invalid YAML):
I get the error: "'str' object has no attribute 'get'" which has no relation to YAML or what is wrong as far as I can tell. I'm not sure what this means, possibly it's a bug in Python land somewhere. It would be more helpful if it told me that the YAML was invalid (or whatever the problem with that manifest actually is).
It may not be a CSRF issue because you have SameSite set, but we don't have to trick users into clicking a link either. They could just visit a page with an embedded pre-load link or image, eg. visiting this issue will log you out without any user input (note that the thing that logs you out is a comment which an attacker could put in any issue):
The usual way to fix this is to make the logout link a form and a POST request.
On Tue, Sep 1, 2020, at 17:21, ~sircmpwn wrote:
This isn't a CSRF issue, but rather just a problem of duping someone into clicking a link like this.
-- View on the web: https://todo.sr.ht/~sircmpwn/sr.ht/14#event-48317
-- Sam Whited
This is an innocent issue that might log you out.
We should consider adding a replacement for tls-server-end-point to this document as well. What would that look like?
- Not long enough
- Not unique enough without master-secret fix
I have not heard anything, but I think the author is working on a new version of the API so this may be low priority. That's just a guess though.