[
https://issues.apache.org/jira/browse/CB-11032?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15887552#comment-15887552
]
Jan Visser commented on CB-11032:
---------------------------------
Of course I wouldn't report an assumption. :-)
I will clarify:
The key element here is I execute javascript from a "trusted" server.
LocalStorage is based on origin. The origin of a cordova app is file:/// or
cordova:/// so when I run https://192.168.0.1/javascript.js and it saves
something to LocalStorage there is no way to keep
https://10.0.0.1/javascript.js from reading the LocalStorage.
Just try and connect with the Chrome Development tools and you will be able to
see this behaviour.
> Prevent LocalStorage from being read by other servers/domains
> -------------------------------------------------------------
>
> Key: CB-11032
> URL: https://issues.apache.org/jira/browse/CB-11032
> Project: Apache Cordova
> Issue Type: Wish
> Components: Android, iOS
> Reporter: Jan Visser
>
> I have created a Cordova app so that customers can connect to their intranet
> or internet server and see dashboards they created there. Their password is
> remembered using a token that is refreshed with a new token on every login
> and stored in LocalStorage. LocalStorage is scoped to the origin. The origin
> of a Cordova app is file:/// or cordova:/// Every server I can connect to can
> potentially read the tokens in the LocalStorage.
> My question: How can I prevent this? Anyone with an idea how to fix this? Or
> are there any better ways to avoid this problem?
> I'm willing to put time and effort into this issue to create a solution
> myself if necessary but first I would like to discuss what the best way to
> implement this in Cordova should be. A new plugin? Or maybe add functionality
> to an existing part of Cordova?
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
