Menu
I am building a chrome extension that needs to persist user sensible data. I know that you can use HTML5 but it is vulnerable to XSS, and possibly other form of attacks. I recently found out about chrome.storage but the docs say:
Confidential user information should not be stored! The storage area isn't encrypted.
Now my question is:
932
The default content security policy pretty much protects you from XSS assuming you don't do anything really stupid. You could use some sort of a library to to encrypt local data and make users enter a passphrase to decrypt the data. The attack vectors at this point are more around malware on the computer and other people with physical access. Chrome extensions themselves are well protected from other sites.
Ultimately though, anything installed on the computer or having access to the computer has the potential to access the private info regardless of what you do. My recommendation would be make sure users are aware of how sensitive the data being stored is and that they need to maintain proper security precautions around getting access to the computer.
107
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
