Can a third-party JS access first-party localstorage?
Question
When I embedded a JS hosted on lets say, xyz.com on an webpage hosted on abc.com, it seemed xyz.com/test.js could read and write all key-values set on and by abc.com. Isn't that considered huge security hole? Are sites advised to not store any user sensitive information in localstorage when you are planning to use any third-party JS like from Google Analytics?
Here is an example - https://jsfiddle.net/kuldeepk/eqawezd6/1/
localStorage.setItem('first-party', 'first-party');
window.Test.setKeyValue('third-party', 'third-party')
console.log(window.Test.getKey('first-party'))
console.log(localStorage.getItem('third-party'));
window.Test is declared in third-party JS
1 answers
solution1
2 2017-02-09 21:49:35
Are sites advised to not store any user sensitive information
Hell no, with your without using any third-party JS
Everything in js or html can be read by everybody visiting your site, no matter if it's in localstorage or elsewhere in the front-end.
Just press F12 and look at the entire front-end source code stackoverflow has to offer.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.