It may not be a CSRF issue because you have SameSite set, but we don't have to trick users into clicking a link either. They could just visit a page with an embedded pre-load link or image, eg. visiting this issue will log you out without any user input (note that the thing that logs you out is a comment which an attacker could put in any issue):
The usual way to fix this is to make the logout link a form and a POST request.
On Tue, Sep 1, 2020, at 17:21, ~sircmpwn wrote:
This isn't a CSRF issue, but rather just a problem of duping someone into clicking a link like this.
-- View on the web: https://todo.sr.ht/~sircmpwn/sr.ht/14#event-48317
-- Sam Whited
This is an innocent issue that might log you out.
We should consider adding a replacement for tls-server-end-point to this document as well. What would that look like?
- Not long enough
- Not unique enough without master-secret fix
I have not heard anything, but I think the author is working on a new version of the API so this may be low priority. That's just a guess though.
REPORTED RESOLVED FIXED
Amusingly, that is exactly what I was doing when I found this issue :) https://git.sr.ht/~samwhited/sourcehut-go
I don't do python, sorry. Just wanted to make the suggestion, and I hope to see it one day. Thanks for your consideration!
I have to builds that get run when I push, a set of unit tests and a set of integration tests. Right now when I push the SSH output comes up, I sometimes click both links, then tab over to my browser. However, I can't tell at a glance which tab is the unit tests and which the integration tests without waiting for output and trying to remember which of the tests that are running were one type or the other.
This is a request to add some sort of information to the build pages that identifies what file and repo they were created from (the project is visible only as a hash that you have to click through to make sense of). This might be the repo name / build file path, or a new title attribute in the build that lets me set a name for the pipeline like "MyProject Integration Tests", etc.
Thanks for your time!