Impact The HTML form for a read-only canned query includes the hidden CSRF token field added in #798 for writable canned queries (#698). This means that submitting those read-only forms exposes the CSRF token in the URL - for example on https://latest.datasette.io/fixtures/neighborhood_search submitting the form took me to: https://latest.datasette.io/fixtures/neighborhood_search?text=down&csrftoken=CSRFTOKEN-HERE This token could potentially leak to an attacker if the resulting page has a link to an external site on it and the user clicks the link, since the token would be exposed in the referral logs. Patches A fix for this issue has been released in Datasette 0.46. Workarounds You can fix this issue in a Datasette instance without upgrading by copying the "0.46 query.html template" (https://raw.githubusercontent.com/simonw/datasette/0.46/datasette/templates/query.html) into a custom "templates/" directory and running Datasette with the "--template-dir=templates/" option. References Issue 918 discusses this in details: https://github.com/simonw/datasette/issues/918 For more information Contact swillison at gmail with any questions.