window.prompt() 可以比经典形式更安全吗？

Question

I'm developing a pure javascript app that will run entirely on the client side and MUST BE VERY SECURE .

At the start I need to get a password to decrypt a file, after that I don't need to save it for any future uses.

So my question is: can the window.prompt() be more secure to get this password than write it in a <input> field and retrieve it through document.getElementById().value ?

Thanks

Answer 1

No, there is no guarantee of practical difference in security. An injected script could hook window.prompt to intercept anything entered. For example:

// In the attacker's script
const _prompt = window.prompt;
window.prompt = function(p) {
  const v = _prompt(p);
  alert(`I intercepted ${v}`);
  return v;
}

// In your script
window.prompt("Enter your secret password");

You could perhaps take a private handle to window.prompt, but you'd have to be certain that it happened prior to point that a script could be injected.

Answer 2

As far as I know there is no difference as you don't seem to send the form over the network and there is no extra level of security between window.prompt and the browser (where you have to handle the entered password at some time).

As for any other vulnerabilities such as keyloggers, infected packages, weak or wrongly stored passwords, there are very much open to the same risks.

Don't know if I'd use the term VERY SECURE in regards to any javascript application, but well, there you have it.

Edit: Actually, there is one major difference. I don't think there is a way to mask the entry in the window.prompt like you can do with a form input set to type password. If there is no workaround for that, and I don't think there is, given everything else is about the same level of security, the input field is definetly more secure.

https://developer.mozilla.org/de/docs/Web/API/Window/prompt

 <button onClick="window.prompt()">trigger prompt</button> <input type='password'>