Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Clarify 14.3.1 #2821

Closed
tghosth opened this issue Mar 30, 2025 · 7 comments
Closed

Clarify 14.3.1 #2821

tghosth opened this issue Mar 30, 2025 · 7 comments
Labels
1) Discussion ongoing Issue is opened and assigned but no clear proposal yet 6) PR awaiting review V14 (prev V8) _5.0 - prep This needs to be addressed to prepare 5.0

Comments

@tghosth
Copy link
Collaborator

tghosth commented Mar 30, 2025

Current:

# Description Level #v5.0.be
14.3.1 [MODIFIED] Verify that authenticated data is cleared from client storage, such as the browser DOM, after the client or session is terminated. The "Clear-Site-Data header" may be able to help with this but the client-side should also be able to clear up if the server connection is lost. 1 v5.0.be-8.2.3

@elarlang said:

"without interruption the client-side must be ablo to"

Not sure what the concern is here?
@tghosth tghosth added 1) Discussion ongoing Issue is opened and assigned but no clear proposal yet _5.0 - prep This needs to be addressed to prepare 5.0 V14 (prev V8) labels Mar 30, 2025
@tghosth tghosth mentioned this issue Mar 30, 2025
Closed
43 tasks
@elarlang
Copy link
Collaborator

elarlang commented Mar 30, 2025
edited
Loading

Concern comes from the fact that whetever is on the client side is under user control.

  • The "Clear-Site-Data header" > The 'Clear-Site-Data' header field

@tghosth
Copy link
Collaborator Author

tghosth commented Mar 30, 2025

I think the aim here is that there is client side code that deletes client side data. It is in the user's interested to this and if an attacker already has control of the client side then they already have the data anyway so it is game over

@elarlang
Copy link
Collaborator

to help with this but the client-side should also be able to clear up if the server connection is lost.

May one interpret, that if the connection is lost, then immediate clean-up must be triggered?

@tghosth
Copy link
Collaborator Author

tghosth commented Mar 30, 2025
edited
Loading

to help with this but the client-side should also be able to clear up if the server connection is lost.

May one interpret, that if the connection is lost, then immediate clean-up must be triggered?

So no, that is going to cause a problem.

The implication of the requirement is that when the user logs out or when it is expected that a client side data clean would be triggered, the app cannot just rely on the Clear-Site-Data header but rather needs to have client side mechanisms to handle that as well

@elarlang
Copy link
Collaborator

Yes, my question was, that if someone only focuses on the last sentence, may it be interpreted like that.

@tghosth
Copy link
Collaborator Author

tghosth commented Mar 30, 2025

Ok, I understand. Suggestion:

"[MODIFIED] Verify that authenticated data is cleared from client storage, such as the browser DOM, after the client or session is terminated. The "Clear-Site-Data header" may be able to help with this but the client-side should also be able to clear up if the server connection is not available when the session is terminated."

elarlang added a commit that referenced this issue Mar 30, 2025
@elarlang
update for 14.3.1, closes #2821
1183cc1
@elarlang elarlang mentioned this issue Mar 30, 2025
Merged
@elarlang
Copy link
Collaborator

PR with tiny modification

# Description Level #v5.0.be
14.3.1 [MODIFIED] Verify that authenticated data is cleared from client storage, such as the browser DOM, after the client or session is terminated. The 'Clear-Site-Data' HTTP response header field may be able to help with this but the client-side should also be able to clear up if the server connection is not available when the session is terminated. 1 v5.0.be-8.2.3

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
1) Discussion ongoing Issue is opened and assigned but no clear proposal yet 6) PR awaiting review V14 (prev V8) _5.0 - prep This needs to be addressed to prepare 5.0
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tghosth @elarlang