Comments (7)
so no one can answer?
from store.js.
Browsers can't execute EXE files due to security concerns, so storing a file in state won't work since JS is client-side, it's quite impossible to execute a file or anything that can interact with the core OS (the container would be the browser who won't allow the interaction), and those hacks you've more than likely seen doesn't include malicious code execution from the browser itself, but normally exploits a vulnerability that allows them to use something else to execute their code remotely. This is the reason why Flash was discontinued as the vulnerabilities exploited within Flash components allowed to interact with the core OS, which allowed them to execute code within/through the Flash that was loaded on the site.
from store.js.
I just read about how they can store encoded code to local storage and then call out it... so if the stored code is in local storage when it will be executed from there will be interact with OS? and now can they store files with Flash?
from store.js.
Please share where you found this information?
Local storage cannot interact with the core OS and store.js doesn't use local storage, it uses state which is wiped every time you navigate off the website.
Browsers are "containerized" meaning each tab is in it's own isolated session, so can't interact with other browsers even. There's a LOT of security when it comes to the web.
Local storage is also isolated PER DOMAIN. So an attacker that wants to read sensitive information stored in local storage and send it to his own server (username/password or even credit card credentials or even try to embed encoded code) needs to first exploit your site through cross-site scripting attacks to test for vulnerabilities in your setup to inject their own JavaScript code in your website.
Even if they get that right, the only access they have is within the containerized environment of the browser and can only read the information, they cannot execute an exe that is stringified and embedded there either.
So if your site security sucks, then yes, they can store encoded code on local storage, but again, they're isolated from the OS.
Here's an article going over everything in detail: https://dev.to/rdegges/please-stop-using-local-storage-1i04
Also see the following answer if you don't believe me: https://security.stackexchange.com/a/95068
from store.js.
@AcidRaZor Thanks for your explanations. Can we somehow mark this issue as finished to improve Issue count?
I don't have rights to close the issue,
but i've seen that storeJS did not have any updates for 2 years on npm, so this looks like not very actively maintained currently.
from store.js.
@marcuswestin This issue can be closed.
Maybe the Readme should be extended by a part about security in Localstorage, so that users understand the implications.
I can recommend to link to this article for that: https://www.rdegges.com/2018/please-stop-using-local-storage/
Maybe I'll add a PR Later to add this to the Readme.
from store.js.
I wish people would stop using that article. Its mostly wrong. And doesn't address how to store things like JWT and other tokens (no, cookies is not a valid answer as XHR requests don't normally use cookies and JWT needs to be set in the header)
from store.js.
Related Issues (20)
- Chinese characters when encoding HOT 3
- Ignore me
- how do i read specifically items from session storage HOT 1
- Uncaught TypeError: t.charCodeAt is not a function HOT 2
- Error on Ubuntu: Cannot read property 'documentElement' of undefined HOT 1
- the json format data becomes a json string HOT 1
- how to use store.js with expire?
- Support Subdomains HOT 1
- Open facebook event in new window/tab HOT 1
- How to store a file? HOT 13
- clearAll() per namespace? HOT 4
- expire broken HOT 1
- Race conditions HOT 1
- Use Plugins with Typescript HOT 7
- Store instance
- store.js use in memory(localstorage) or physical disk( indexedDB)? what is size limit? HOT 1
- Expiry not set in cookieStorage.js HOT 2
- 存int数组,取值丢失精度 HOT 1
- global namespace
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from store.js.