jsCache icon indicating copy to clipboard operation
jsCache copied to clipboard

Published 20 hours ago verified publisher icon mortzdk

encrypt JS in localStorage

Open stevesouders opened this issue 10 years ago • 3 comments

Storing JS in localStorage introduces a security risk as discussed here: http://lists.w3.org/Archives/Public/public-webcrypto-comments/2012Aug/0076.html . It would be better to encrypt the JS before storing.

stevesouders avatar Mar 21 '14 19:03 stevesouders

I see your point.

As for now I see two solutions to this issue:

  1. You request the javascript files from their original address each time and compare the files content using a hashfunction. This would though obviate the purpose of storing the javascript files in localStorage as far as I can see.
  2. Have a centralized server which holds hash values of all javascript files i.e. when loading a file for the first time a hash is stored in the centralized server of the file and each time we load files using jsCache, we request a set of hashes corresponding to the javascripts files we wish to load and compare these with the hashes of the localStorage files.

Does anyone have a better solution?

mortzdk avatar Mar 22 '14 08:03 mortzdk

Rather than doing a checksum comparison, you could encrypt it clientside. jsCache would have to be extended to support this.

stevesouders avatar May 30 '14 20:05 stevesouders

I do not see how JS encryption would solve the problem, as there is no way to store the encryption key: http://matasano.com/articles/javascript-cryptography/

Moreover i've found: http://www.w3.org/TR/2013/WD-webcrypto-usecases-20130108/#data-integrity

Which suggest the 2. solution mentioned earlier.

mortzdk avatar Jun 02 '14 07:06 mortzdk