On 2016-02-24 14:54, Radek Holý wrote:
> On 2016-02-24 12:36, Steven Ottz wrote: > >> Thanks for the links. This is why it is so hard. One person says one thing >> and another says something different till the point you are back in the same >> place. >> >> -- >> You received this message because you are subscribed to the Google Groups >> "AngularJS" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To post to this group, send email to [email protected]. >> Visit this group at https://groups.google.com/group/angular [1]. >> For more options, visit https://groups.google.com/d/optout [2]. > > Yes, that's my feeling as well. > > My understanding is that currently there is *no* secure way to store > confidential data on the client side. What seems to me to be the most secure > way (and please note that I am not an security expert - I just spent several > weeks reading different blog posts) is the solution by Alex Bilbie. But one > has to implement a CSRF protection. A less laborious (but I guess also a less > secure) solution is the Web Storage API (potentially with a fallback to > cookies if the application has to be compatible with older browsers). But > then one has to keep in mind the possibility of a XSS attack. But the threat > of a XSS attack is there either way... > > -- > Radek Hm, reading the Bilbie's post again, I must say that I still did not get why it should be safer than the Web Storage API and what is more important, it isn't relevant to your problem since your client has to be able to read the data. So, ignore the first part of my message please. But the points that there is no secure way to store data on the client and that the Web Storage API is vulnerable to XSS attacks are still valid. -- Radek Links: ------ [1] https://groups.google.com/group/angular [2] https://groups.google.com/d/optout -- You received this message because you are subscribed to the Google Groups "AngularJS" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/angular. For more options, visit https://groups.google.com/d/optout.
