Skip to content

Clarify same-site CSRF risks with user-generated content #1949

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
prasunsrivastav123-lang wants to merge 3 commits into from
Closed

Clarify same-site CSRF risks with user-generated content #1949

prasunsrivastav123-lang wants to merge 3 commits into from
+46 −10

Conversation

@prasunsrivastav123-lang
Copy link

@prasunsrivastav123-lang prasunsrivastav123-lang commented Jan 5, 2026

This PR clarifies same-site CSRF risks arising from user-generated content.

It explains scenarios where SameSite cookies alone are insufficient and
reinforces the need for CSRF tokens and proper request handling.

jmanico
jmanico reviewed Jan 5, 2026
View reviewed changes
Copy link
Member

@jmanico jmanico left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is technically not CSRF but XSS. But I still discuss this issue. I noticed the formatting of your markdown is different then the rest of the doc. Can you make it more consistent?

@prasunsrivastav123-lang
Copy link
Author

prasunsrivastav123-lang commented Jan 5, 2026

Thanks for the clarification — agreed that this scenario is technically XSS-enabled. I’ve updated the section to acknowledge that explicitly, kept it framed in the context of CSRF defense limitations, and adjusted the markdown structure and wording to be consistent with the rest of the document.

@nickchomey
Copy link
Contributor

nickchomey commented Jan 7, 2026

As i pointed out (and rejected) in #1936, this PR is largely irrelevant nonsense. I urge you to close it and give serious consideration to #1952

@szh szh closed this Jan 7, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jmanico jmanico jmanico left review comments

@kwwall kwwall Awaiting requested review from kwwall kwwall is a code owner

@mackowski mackowski Awaiting requested review from mackowski mackowski is a code owner

@szh szh Awaiting requested review from szh szh is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@prasunsrivastav123-lang @nickchomey @jmanico @szh