sbp commented on issue #906: URL: https://github.com/apache/tooling-trusted-releases/issues/906#issuecomment-4084006240
1. Agreed. We don't need JS for this because session cleanup is [already done by `Clear-Site-Data: storage`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Clear-Site-Data#storage). The specific code suggested by the audit tool is even less appropriate, because it patches `window.fetch` but we don't use `fetch` anywhere when logging out; we only perform a `POST`. 2. This only applies when setting client side data, and with the exception of the session cookie we don't do that. The ASVS criterion is about server state ("authenticated data"), not about sessions. Even if it were about sessions, we would not be able to clear the session cookie from JS because it is set `HttpOnly`. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
