手机上本地存储(html5)的安全性?
[英]Security of local storage (html5) on mobile?
问题描述
if you write data to local storage with javascript on Android like this: 
如果您使用Android上的javascript将数据写入本地存储,例如:
localStorage.data = "test";
Can this data be access and viewed in some way? 可以通过某种方式访问和查看此数据吗? I have some important data to save like user personal information and I would not like for anybody to see this data (even if they put some effort in this). 我有一些重要的数据需要保存,例如用户的个人信息,而且我不希望任何人看到此数据(即使他们为此付出了一些努力)。 Solutions? 解决方案?
2 个解决方案
解决方案1
2 已采纳 2012-08-23 08:40:52
There aren't protected at all if you have access to the browser. 如果您有权访问浏览器,则根本没有任何保护。
Anybody connecting to your site from the user's browser can simply type console.log(localStorage) in the developer's tools (use Ctrl-uppercase-i on most browsers) to see it in clear. 通过用户浏览器连接到您网站的任何人都可以在开发人员的工具中键入console.log(localStorage) (在大多数浏览器中使用Ctrl-uppercase-i)以清晰地查看它。
A solution might be to encrypt the data using a server provided key, but this wouldn't be so secure : it's easy (for example using an extension) to change the executed javascript once you get access to the browser (and you have the user to come back to the site). 一种解决方案可能是使用服务器提供的密钥来加密数据,但这并不是那么安全:一旦访问浏览器(并且您拥有用户),就很容易(例如使用扩展名)更改执行的javascript。返回网站)。 I'd suggest to store on the server those data. 我建议将这些数据存储在服务器上。
解决方案2
2 2012-08-23 08:41:43
I assume you are talking about a technical exploit rather than someone physically getting hold of the actual device? 我假设您是在谈论技术漏洞,而不是有人亲自掌握实际设备?
If so, it is my understanding that only code on the domain from which the data was saved can access it. 如果是这样,据我了解,只有保存数据的域上的代码才能访问它。 So you'd potentially be vulnerable is someone managed a XSS attack or you incorrectly included someone else's script. 因此,如果有人进行了XSS攻击,或者您错误地包含了别人的脚本,那么您可能会很容易受到攻击。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.