Vaadin Flow 1.0.14 is a maintenance version with the following notable changes:
- Fixes:
-
⧉ Use time-constant comparison for security tokens. PR:9896 Thanks to Xhelal Likaj for reporting this
This is the same as #9875, but also applied for the upload security key and the push id since both of those are also used to protect against cross-site attacks. In addition, documentation for the push id is clarified to point out its role.
-
⧉ Use time-constant comparison for CSRF tokens. PR:9875 Thanks to Xhelal Likaj for reporting this
This hardens the framework against a theoretical timing attack based on comparing how quickly a request with an invalid CSRF token is rejected.
-
For all changes, see changes since 1.0.13
For what is new in 1.0, see 1.0.0 release notes