Thanks--we caught the XSS vs CSRF bit after the CVE was requested with the original wording and so stuck with it in the pre-OSSA.
As for "not going to be trivial to patch" do you suspect we'll be able to backport a more thorough solution to stable branches without violating our stable branch change policy? If not, we should probably continue with the original disclosure timeline to fix what can be trivially backported while publicly solving it in a more thorough fashion for the upcoming kilo release.
Thanks--we caught the XSS vs CSRF bit after the CVE was requested with the original wording and so stuck with it in the pre-OSSA.
As for "not going to be trivial to patch" do you suspect we'll be able to backport a more thorough solution to stable branches without violating our stable branch change policy? If not, we should probably continue with the original disclosure timeline to fix what can be trivially backported while publicly solving it in a more thorough fashion for the upcoming kilo release.