asf-tooling opened a new issue, #1125: URL: https://github.com/apache/tooling-trusted-releases/issues/1125
**ASVS Level(s):** L1 **Description:** ### Summary The JWT display functionality on `/tokens` implements a 60-second auto-clear timer, which is a good security practice. However, it lacks page lifecycle event handlers that would provide defense-in-depth by clearing the JWT when: user switches tabs (visibilitychange), page enters back-forward cache (pagehide), or user navigates away before timer expires. The JWT cleanup relies solely on the 60-second timer. If the page is stored in the browser's back-forward cache (bfcache), the timer may not fire when the user navigates back, and the JWT could persist in the DOM. ### Details In `atr/static/ts/create-a-jwt.ts` at lines 28-50, the JWT display only implements a 60-second timer without page lifecycle event handlers. JWT tokens displayed on /tokens page could persist in DOM if user navigates away before 60-second timer expires, page enters browser's back-forward cache, and user returns via back button. ### Recommended Remediation Add to `atr/static/ts/create-a-jwt.ts`: 1. `clearJwtDisplay()` function to clear output, outputContainer, and both timeoutObj and intervalObj 2. visibilitychange event listener to call `clearJwtDisplay()` when document.visibilityState becomes 'hidden' 3. pagehide event listener to call `clearJwtDisplay()` when page is being unloaded or cached 4. pageshow event listener to call `clearJwtDisplay()` when page is restored from bfcache (event.persisted === true) ### Acceptance Criteria - [ ] Page lifecycle event handlers added - [ ] JWT cleared on tab switch - [ ] JWT cleared on navigation - [ ] JWT cleared on bfcache restore - [ ] Unit tests verify cleanup logic ### References - Source reports: L1:14.3.1.md - Related findings: None - ASVS sections: 14.3.1 ### Priority Low --- -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
