第三方JS可以访问第一方本地存储吗?
[英]Can a third-party JS access first-party localstorage?
问题描述
When I embedded a JS hosted on lets say, xyz.com on an webpage hosted on abc.com, it seemed xyz.com/test.js could read and write all key-values set on and by abc.com. 
当我在abc.com托管的网页上嵌入xyz.com托管的JS时,似乎xyz.com/test.js可以读取和写入abc.com以及由abc.com设置的所有键值。 Isn't that considered huge security hole? 那不是被认为是巨大的安全漏洞吗? Are sites advised to not store any user sensitive information in localstorage when you are planning to use any third-party JS like from Google Analytics? 当您计划使用Google Analytics(分析)中的任何第三方JS时,建议网站不要在本地存储中存储任何用户敏感信息吗?
Here is an example - https://jsfiddle.net/kuldeepk/eqawezd6/1/ 这是一个示例-https://jsfiddle.net/kuldeepk/eqawezd6/1/
localStorage.setItem('first-party', 'first-party');
window.Test.setKeyValue('third-party', 'third-party')
console.log(window.Test.getKey('first-party'))
console.log(localStorage.getItem('third-party'));
window.Test is declared in third-party JS window.Test在第三方JS中声明
1 个解决方案
解决方案1
2 2017-02-09 21:49:35
Are sites advised to not store any user sensitive information
Hell no, with your without using any third-party JS 地狱,不用您使用任何第三方JS
Everything in js or html can be read by everybody visiting your site, no matter if it's in localstorage or elsewhere in the front-end. 不论是在本地存储中还是在前端的其他地方,访问站点的每个人都可以读取js或html中的所有内容。
Just press F12 and look at the entire front-end source code stackoverflow has to offer. 只需按F12键,然后查看stackoverflow提供的整个前端源代码即可。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.