The Web Design Group

... Making the Web accessible to all.

Welcome Guest ( Log In | Register )

 
Reply to this topicStart new topic
> Javascript localStorage (persistent cookies)
Christian J
post Feb 15 2012, 04:55 PM
Post #1


.
********

Group: WDG Moderators
Posts: 5,917
Joined: 10-August 06
Member No.: 7



The Javascript/DOM localStorage lets newer browsers store up to 5MB of data (per domain) on the HD. This seems very useful for developers, but few web users seem to know or care about the security/privacy implications. W3C itself points out the following vulnerability:

"7.2 Cross-directory attacks

Different authors sharing one host name, for example users hosting content on geocities.com, all share one local storage object. There is no feature to restrict the access by pathname. Authors on shared hosts are therefore recommended to avoid using these features, as it would be trivial for other authors to read the data and overwrite it."

Furthermore, current browsers have no dedicated controls for viewing or deleting the localStorage data (unlike cookies). Maybe you can get rid of it by deleting all user history/cache data, or by using browser extensions. Personally I feel more and more reluctant to use Javascript at all with inventions like this.

Some code examples and demos: http://www.javascriptkit.com/javatutors/domstorage.shtml (including workarounds for MSIE, which doesn't support localStorage yet).

Here's a bookmarklet/favelet that shows what a site may have saved: http://potch.me/ls/ (e.g., http://twitter.com/ used localStorage when I tested).

http://www.w3.org/TR/webstorage/
http://en.wikipedia.org/wiki/Web_storage

(I put the thread in Off-Topic since I want to discuss the privacy/security issues rather than the actual scripting.)


--------------------
User is offlinePM
Go to the top of the page
Toggle Multi-post QuotingQuote Post
jimlongo
post Feb 15 2012, 05:00 PM
Post #2


This is My Life
*******

Group: Members
Posts: 1,094
Joined: 24-August 06
From: t-dot
Member No.: 16



Shared hosting is weak in so many ways.

You get what you pay for. Sure it only costs $4 a month, but don't expect industrial strength storage or performance.



--------------------
User is offlinePM
Go to the top of the page
Toggle Multi-post QuotingQuote Post
Christian J
post Feb 15 2012, 09:01 PM
Post #3


.
********

Group: WDG Moderators
Posts: 5,917
Joined: 10-August 06
Member No.: 7



Shared site visitors may suffer too. For example, site A may store exactly which pages the visitor looked at, then if the visitor goes to site B the latter can see all of it as well.


--------------------
User is offlinePM
Go to the top of the page
Toggle Multi-post QuotingQuote Post
pandy
post Feb 16 2012, 05:15 AM
Post #4


Don't like donuts. Don't do MySpace.
********

Group: WDG Moderators
Posts: 15,191
Joined: 9-August 06
Member No.: 6



Scary. I didn't know about this, so thanks for posting. What do you mean by shared site though?


--------------------
"Never go to excess, but let moderation be your guide."
- Cicero

IPB Image
User is offlinePM
Go to the top of the page
Toggle Multi-post QuotingQuote Post
Christian J
post Feb 16 2012, 10:31 AM
Post #5


.
********

Group: WDG Moderators
Posts: 5,917
Joined: 10-August 06
Member No.: 7



QUOTE(pandy @ Feb 16 2012, 11:15 AM) *

What do you mean by shared site though?

Sites that don't have their own domain (the W3C page mentions Geocities accounts).

QUOTE(Christian J @ Feb 15 2012, 10:55 PM) *

current browsers have no dedicated controls for viewing or deleting the localStorage data (unlike cookies).

Opera 11 does have settings for "Persistent Storage" (Preferences > Advanced > Storage)

Iron (Chrome?) seems to hide it under "Cookies and other data".

Can't find anything in Firefox.

This post has been edited by Christian J: Feb 16 2012, 10:48 AM


--------------------
User is offlinePM
Go to the top of the page
Toggle Multi-post QuotingQuote Post
Christian J
post Feb 16 2012, 08:05 PM
Post #6


.
********

Group: WDG Moderators
Posts: 5,917
Joined: 10-August 06
Member No.: 7



One possibly good consequence of localStorage might be that a site's database no longer has to store as much data about their users, which in turn means less to steal for someone breaking into the DB.


--------------------
User is offlinePM
Go to the top of the page
Toggle Multi-post QuotingQuote Post
Christian J
post Feb 19 2013, 03:18 PM
Post #7


.
********

Group: WDG Moderators
Posts: 5,917
Joined: 10-August 06
Member No.: 7



Now a year later there seem to be quite a few sites using web storage.

QUOTE(Christian J @ Feb 16 2012, 04:31 PM) *

Opera 11 does have settings for "Persistent Storage" (Preferences > Advanced > Storage)

Even though Opera12 is configured to empty the cache on exit, the Persistent Storage is still not deleted unless you do it manually. There's also a setting to "Use application cache" (the same as Session Storage?), where you can choose between Yes/No/Ask. I've set it to Ask, but haven't seen any such requests yet.

Possibly Persistent Storage can be disabled from "opera:config#PersistentStorage". Or you might try

CODE
localStorage.clear();

in a Opera user javascript (this doesn't disable Web Storage, but at least deletes old entries when you return to a site).

QUOTE
Can't find anything in Firefox.

According to http://en.wikipedia.org/wiki/Web_storage#W...rage_Management it can be disabled by setting the "about:config" parameter "dom.storage.enabled" to false.




--------------------
User is offlinePM
Go to the top of the page
Toggle Multi-post QuotingQuote Post

Reply to this topicStart new topic
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:

 



- Lo-Fi Version Time is now: 22nd July 2014 - 04:32 PM