HTML5 Web数据库安全性 [英] HTML5 Web DB Security
问题描述
我正在研究使用HTML5的离线网络应用解决方案。
功能是我需要的一切,但是存储的数据可以直接在浏览器中查询,因此完全不安全!
是否有加密/隐藏数据是安全的?
谢谢,
D。
在HTML5中存在两个本地存储问题 -
- 一个网站读取另一个网站存储在用户浏览器中的离线数据
- 最终用户直接查询您的网站离线数据
1,浏览器执行相同对localStorage(或safari具有的sqllite数据库支持)的域限制,所以其他网站将无法访问您存储的数据。但是,请记住,如果您的网站存在XSS漏洞,则可能会窃取数据。
对于2,您无法阻止它。它就像一个cookie - 用户可以选择查看/删除/修改它。
可以加密数据(参见 http://farfarfar.com/scripts/encrypt/ ),但毫无意义。您不能拥有单个全局密钥/密码 - 因为攻击者可以轻松地从JavaScript代码中找出密钥。可以使用用户输入的密码进行加密/解密,但客户端加密库不成熟或测试不够好。有可能是无数的方法来打破它。
因此,至少现在,不要在localStorage中存储敏感数据。I'm looking into an offline web app solution using HTML5. The functionality is everything I need BUT the data stored can be directly queried right in the browser and therefore completely unsecure!
Is there anyway to encrypt/hide so that the data is secure?
Thanks, D.
There are two concerns to local storage in HTML5 -
- One website reading offline data that another website has stored in a users browser
- An end user querying your websites offline data directly
For 1, browsers enforce the same-domain restrictions to localStorage (or the sqllite database support that safari has), so other websites won't have access to the data that you store. However, do remember that if your site has XSS vulnerabilities, it would be possible to steal the data.
For 2, you can't prevent it. Its just like a cookie - the user can chose to view/delete/modify it.
Encryption of data is possible (see http://farfarfar.com/scripts/encrypt/), but pointless. You cannot have a single, global key/password - because an attacker can easily figure the key from javascript code. Using a user-entered password to encrypt/decrypt is possible, but client-side encryption libraries aren't mature or tested well enough. There are likely tons of way to break it.
So, for now atleast, don't store sensitive data in localStorage.
这篇关于HTML5 Web数据库安全性的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
