Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Is HTML5 localStorage safe long term?

I am learning HTML, Javascript, etc., and decided to make a small web app on the Chrome Web Store as an educational project. The app stores a few bits of important data in localStorage (essentially small saved text files), and I was wondering if this implementation choice is too fragile. I know that the user will lose data if their hard drive dies or they manually delete it, but is the data in danger under normal circumstances? For example, does Chrome ever decide to clean out localStorage for maintenance reasons?

Thanks, Alex

like image 212
AlexMA Avatar asked May 25 '11 06:05

AlexMA


People also ask

Is HTML5 local storage secure?

Local storage wasn't designed to be used as a secure storage mechanism in a browser. It was designed to be a simple string only key/value store that developers could use to build slightly more complex single page apps. That's it.

Does localStorage last forever?

localStorage is similar to sessionStorage , except that while localStorage data has no expiration time, sessionStorage data gets cleared when the page session ends — that is, when the page is closed.

Is localStorage a security risk?

On the downside, localStorage is potentially vulnerable to cross-site scripting (XSS) attacks. If an attacker can inject malicious JavaScript into a webpage, they can steal an access token in localStorage. Also, unlike cookies, localStorage doesn't provide secure attributes that you can set to block attacks.

Can hackers access localStorage?

As local storage was never intended to be secure, there is no data protection and any JavaScript on the website can access it. Hackers can exploit the existing XSS vulnerability on the website like the following screenshot when the user browses to https://set-localstorage.herokuapp.com/xss-injected-page.html.


1 Answers

By default, Chrome deletes everything - including local storage - when you select "Clear Browsing Data", which some users might do if they're told to do something like "empty your browser's cache" without realising the implications.

The HTML5 spec doesn't specify anything with regards to the safety of data, possibly because it's a very young draft. I'd play it on the safe side and store that data in the cloud as well - it's what your users expect.

like image 91
Morgan Harris Avatar answered Sep 21 '22 23:09

Morgan Harris