Comments (9)
Hi Piotr,
Thanks for the suggestion! Since encryption does not address the goal of
store.js (create cross-browser storage) I'm hesitant to add it. What are
your thoughts about this?
Cheers!
Marcus
On Sat, Jul 14, 2012 at 5:30 AM, Piotr <
[email protected]
wrote:
Goal
Use encryption for storing data for non-public app areas.
Description
As far as I know, browsers store DOM storage on disk in unencrypted files,
DOM storage is accessible from all domain paths (except IE UserData) and
doesn't expire.This may be considered as security issue on shared workstations in cases
when client-side app doesn't clear user data (browser crash/ closed window)
or browser decides to keep them (temporary files).I see the simplest solution in encrypting storage data after serializing
to JSON and decrypt before deserializing.It's up to the developer to come up with idea how to obtain secure key/
token; assuming encrypted storage makes sense for non-public areas (user is
logged in), one can possibly use server-side unique session token.
Once server-side session expires, token is not available anymore. When
there is no token, previously saved data theoretically become undecryptable
junk (and may be removed client-side on next execution).This should limit access to user data.
Drawback: Storage values take quite more space (depends on encoding);
Inspiration: dojo.storage.encrypted
Implementation
Configuration for Crypto.js, but
any crypt library with methodsencrypt( value )
anddecrypt( encrypted )
should work:store.crypt = { key: App.token, // ie. 'c015dc1d6028a6815ac944c8512c10db', encrypt: function( plaintext ) { return CryptoJS.AES.encrypt( plaintext, this.key ).toString(); }, decrypt: function( encrypted ) { return CryptoJS.AES.decrypt( encrypted, this.key ).toString( CryptoJS.enc.Utf8 ); } }Proposed changes to store.js code (didn't test):
store.serialize = function(value) { var serialized = JSON.stringify( value ); if ( store.crypt ) { serialized = store.crypt.encrypt( serialized ); } return serialized; } store.deserialize = function(value) { if ( typeof value !== 'string' ) { return undefined; } if ( store.crypt ) { try { value = store.crypt.decrypt( value ); } catch (e) { return undefined; } } return JSON.parse( value ); }I'd like to discuss this idea with more proficient developers as I don't
have much experience with client-side encryption.
Reply to this email directly or view it on GitHub:
#50
from store.js.
Hi Marcus.
I get your point. Anyway I'd like to see a flexible way to inject such data processor. In my proposal, encryption in store.js code is mentioned only in function name, another scenario could be string compression.
Didn't come up with any meaningful names so:
in serialize:
if ( store.decode )
serialized = store.decode( serialized ); // afterSerialize/ beforeSave / postProcess
in deserialize:
if ( store.encode )
value = store.encode( value ); // beforeDeserialize / afterLoad / preProcess
If you still think it's not a good idea, no big deal.
from store.js.
My suggestion is that you create a fork of store.js with encryption implemented. I would definitely link to it from the readme.
from store.js.
please keep store.js lean.
Rather than a fork, submitter might want to create their own separate js library that depends upon store.js for it's the actual storage, but has it's own methods to call to do so with encryption.
from store.js.
I agree.
from store.js.
Me too.
Wys³ano z Samsung Galaxy Note ICS
2 lis 2012 17:01, "Nashorn" [email protected] napisa³(a):
I agree.
Reply to this email directly or view it on GitHubhttps://github.com//issues/50#issuecomment-10019166.
from store.js.
Thanks for weighing in everyone - I'll close this for now.
Cheers!
from store.js.
Thanks for opinions.
Although I think this is pretty important, its quite easy (and probably more generic solution) to overwrite native methods when project nature requires so.
from store.js.
Store.js v2.0 has been released with support for plugins! See https://github.com/marcuswestin/store.js#user-content-write-your-own-plugin for a quick description of how to write one.
If you're up for writing one I'll definitely accept a PR!
from store.js.
Related Issues (20)
- Is this support IndexDB? HOT 1
- Chinese characters when encoding HOT 3
- Ignore me
- how do i read specifically items from session storage HOT 1
- Uncaught TypeError: t.charCodeAt is not a function HOT 2
- Error on Ubuntu: Cannot read property 'documentElement' of undefined HOT 1
- the json format data becomes a json string HOT 1
- how to use store.js with expire?
- Support Subdomains HOT 1
- Open facebook event in new window/tab HOT 1
- there is no Issues just question about security!!! HOT 7
- How to store a file? HOT 13
- clearAll() per namespace? HOT 4
- expire broken HOT 1
- Race conditions HOT 1
- Use Plugins with Typescript HOT 7
- Store instance
- store.js use in memory(localstorage) or physical disk( indexedDB)? what is size limit? HOT 1
- Expiry not set in cookieStorage.js HOT 1
- 存int数组,取值丢失精度 HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from store.js.