How to hide/secure session/encryption key in client side javascript from addon/extension
Question
This is not a question if a web application can be safe/secure to use !!
But if I have a session or encryption key and like to hide it as good as possible on the client side with javascript - what is the best approach?
I wanted to use sessionStorage until I found out that any extension can read this from the content script at least in Chrome. In my view this is a big mistake from the developers as they hide the web pages javascript from the extension but allow it to see web-storage. Everywhere it is stated that the extension can only see the DOM but I do not think most people think that this also include web-storage!
So how can I secure a session key so it is away from reach of an extension? Unable to encrypt it as I then just need to hide the key. The problem is that the session have to be valid for all pages of the site so I can not just keep it in javascript as it is refreshed on each page load.
A cookie is in my view just as bad!
NB: Do not know if this is also a problem for other browsers
1 answers
solution1
4 2016-01-13 14:45:07
An extension, given permission to access your page, can do anything.
A code injected as a <script> tag from a content script into the DOM will execute regardless of your CSP in the context of your page, will full access to your JS context.
That is not to even to mention chrome.debugger API.
So no, you cannot secure your client-side data from extensions that user consented to run on your page, just as you can't secure your data from the browser itself.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.