origin-storage How are you controlling security?

How are you controlling security?

Open rsshilli opened this issue 2 years ago • 2 comments

How are you controlling security?

Let's assume that I have:

sub1.example.com
sub2.example.com and they are using this library by sharing data with the origin set to a page on example.com.

Couldn't I set up sub1.example.com.malicious.com and point it to the origin set on example.com and then see all of the data in any user's browser whom I can trick into going to my malicious site?

Sep 16 '23 10:09 rsshilli

Of course, you could have use it like this.

new OriginStorage({
  broadcastChanges: true,
+ targetOrigin: 'http://sub1.example.com',
})

This will mean that only sub1.example.com will have access to this sharing data.

Sep 20 '23 16:09 unadlib

If you want to support multiple site configurations, you can set it up like this.

new OriginStorage({
  broadcastChanges: true,
  targetOrigin: 'http://sub1.example.com',
})

new OriginStorage({
  broadcastChanges: true,
  targetOrigin: 'http://sub2.example.com',
})

Sep 20 '23 16:09 unadlib

origin-storage origin-storage copied to clipboard

How are you controlling security?

origin-storage
origin-storage copied to clipboard