WF-I-1 — Session token extracted from sessionStorage via XSS
Component: Wallet Frontend. Mitigations: CSP (
script-src 'self');HttpOnlycookies not used (sessionStorage by design) — any XSS bypasses this boundary. Action: Priority: next sprint — harden CSP to eliminate inline script; migrate token toHttpOnly+SameSite=Strictcookie to remove JS-accessible session token
| Property | Value |
|---|---|
| Section | Information Disclosure |
| Owner | platform |
Mapped Controls
| Control | Title |
|---|---|
| SID-HARD-05 | Browser Security Controls |
Source: STRIDE analysis (April 2026), architecture/stride-threat-model.md