Chrome extension : storing variables in background page is secure?

Question

I'd like to know if storing some information in variables in the background page raises security problems ?

Could a website or an another extension get access to these variables ?

I currently have an extension with a login system (I store a hash of the password in the localStorage so I compare hashes when users attempt to connect to the system). I am thinking of extending it with a module that would keep a password in memory until log out or time out. I don't want to use the localStorage to store the password in clear so I thought to store it in the background page, but it might be worse ...

If this is not secure, could you give me a tip about how implementing such module ?

Thank you.

Answer 1

Other extensions and websites cannot access the storage of your background page, unless you implement this feature yourself.

Saving data at your extension's background page is as secure as Chrome's password manager.
_{Chrome stores its credentials without encryption in a SQLite database at profile directory/Default/Login Data}

Data from chrome.storage, localStorage, HTML5 filesystem, IndexedDB, etc. are saved in Chrome's profile directory. Anyone with access to your profile directory can read the data. Anyone who opens the devtools for background page can view the stored values.

If the profile directory is safe, you don't need to worry about the security of the method.
Otherwise, you have to make a trade-off between convenience and security. Is it acceptable to keep asking the user for the password? Then try saving session identifiers, and ask for credentials when a session has expired. Or use oAuth.

Read more

• Tutorial: oAuth at the Chrome extensions documentation.
• Password storing in Google Chrome content scripts at Security.SE.
• How can I protect my saved passwords in Chrome? at Security.SE