HTML5 localStorage安全性 [英] HTML5 localStorage security

问题描述

将localStorage用于敏感数据（假定当前的HTML5实现）是好的还是坏主意？

Would be a good or bad idea to use localStorage for sensitive data (assuming the current HTML5 implementations)?

我可以使用什么方法来保护数据，以便它不能被在客户端计算机上访问的人阅读？

What methods can I use to secure the data so that it cannot be read by a person that has access at the client computer?

推荐答案

坏主意。 b

Bad idea.

1. 有权访问本机的人将始终能够读取localStorage，但您无法做到阻止它。只需在firebug控制台中键入'localStorage'，就可以获得所有的键/值对。


2. 如果您的应用程序中存在XSS漏洞，则存储在 localStorage 可供攻击者使用。


3. 您可以尝试加密它，但有一个问题。在客户端加密它是可能的，但意味着用户必须提供密码和，您必须依赖未经过充分测试的加密算法的JavaScript实现。


4. 加密在服务器侧，当然也可以，但随后的客户端代码无法读取或更新，所以你已减少的localStorage到美化了cookie中。

1. Someone with access to the machine will always be able to read the localStorage, there is nothing much you can do to prevent it. Just type 'localStorage' in firebug console, and you get all the key/value pairs nicely listed.
2. If you have an XSS vulnerability in your application, anything stored in localStorage is available to an attacker.
3. You can try and encrypting it, but there is a catch. Encrypting it on the client is possible, but would mean the user has to provide a password and you have to depend on not-so-well-tested javascript implementations of cryptography.
4. Encrypting on the server side is of course possible, but then the client code cannot read or update it, and so you have reduced localStorage to a glorified cookie.

如果它需要安全，最好不要发送给客户端。无法控制的东西永远不会安全。

If it needs to be secure, its best to not send it to the client. What is not in your control can never be secure.

这篇关于HTML5 localStorage安全性的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！