[I] Clear JWT token and CSRF token from DOM on session end / timeout (ASVS 14.3.1) (tooling-trusted-releases)

Wed, 18 Feb 2026 13:34:53 -0800 


andrewmusselman opened a new issue, #698:
URL: https://github.com/apache/tooling-trusted-releases/issues/698

   ### Description
   
   Sensitive tokens are rendered into the DOM and persist indefinitely without 
any cleanup:
   
   1. **JWT token** — When a JWT is created via the UI 
(`atr/static/ts/create-a-jwt.ts`), it is placed into a DOM element's 
`textContent` and remains there for the lifetime of the page. There is no 
timeout, no `beforeunload` cleanup, and no visibility-change handling.
   
   2. **CSRF token** — The CSRF token is extracted from a DOM `data-` attribute 
into the `uiState` object (`atr/static/ts/finish-selected-move.ts`) and is 
never cleared when the session ends or the page unloads.
   
   ### Affected Files
   
   | File | Lines | Data |
   |------|-------|------|
   | `atr/static/ts/create-a-jwt.ts` | 32–36 | JWT token stored in DOM 
`textContent` permanently |
   | `atr/static/ts/finish-selected-move.ts` | 422–426, 474–488 | CSRF token 
extracted to `uiState`, never cleared |
   
   ### Recommended Remediation
   
   1. Do beforeunload and data-sensitive only
   
   **JWT token — auto-clear after timeout:**
   
   ```typescript
   if (resp.ok) {
     const token = await resp.text();
     output.classList.remove("d-none");
     output.textContent = token;
   
     // Clear token after 30 seconds
     setTimeout(() => {
       output.textContent = "[Token cleared for security — regenerate if 
needed]";
       output.classList.add("text-muted");
     }, 30000);
   }
   
   window.addEventListener("beforeunload", () => {
     if (output) output.textContent = "";
   });
   ```
   
   **CSRF token — clear on page unload:**
   
   ```typescript
   window.addEventListener("beforeunload", () => {
     controller.abort();
     uiState.csrfToken = null;
     uiState.currentlySelectedPaths.clear();
     const mainScriptData = document.getElementById(ID.mainScriptData);
     if (mainScriptData) delete mainScriptData.dataset.csrfToken;
   });
   ```
   
   Additionally, mark sensitive DOM elements with a `data-sensitive` attribute 
so the session-cleanup script (see Issue 2) can target them generically.
   
   ### Reference
   
   - ASVS: 14.3.1
   - CWE: CWE-312 (Cleartext Storage of Sensitive Information), CWE-525
   - Severity: **Medium** (JWT), **Low** (CSRF)


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to