Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
258 views
in Technique[技术] by (71.8m points)

html - HTML5 Web DB Security

I'm looking into an offline web app solution using HTML5. The functionality is everything I need BUT the data stored can be directly queried right in the browser and therefore completely unsecure!

Is there anyway to encrypt/hide so that the data is secure?

Thanks, D.

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Answer

0 votes
by (71.8m points)

There are two concerns to local storage in HTML5 -

  1. One website reading offline data that another website has stored in a users browser
  2. An end user querying your websites offline data directly

For 1, browsers enforce the same-domain restrictions to localStorage (or the sqllite database support that safari has), so other websites won't have access to the data that you store. However, do remember that if your site has XSS vulnerabilities, it would be possible to steal the data.

For 2, you can't prevent it. Its just like a cookie - the user can chose to view/delete/modify it.

Encryption of data is possible (see http://farfarfar.com/scripts/encrypt/), but pointless. You cannot have a single, global key/password - because an attacker can easily figure the key from javascript code. Using a user-entered password to encrypt/decrypt is possible, but client-side encryption libraries aren't mature or tested well enough. There are likely tons of way to break it.

So, for now atleast, don't store sensitive data in localStorage.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...