0

I'm relatively a newbie to extension development for chrome, i find that there is a lot of source material out there which mention the use of OAuth over localStorage. I need to verify credentials for an API that doesn't offer OAuth. I don't want to do it through localStorage either due to the obvious security risks. Is there any other best practices that could be followed ?

As of now I am directing the client to the main website through which Basic Auth occurs. If I were to follow this way the client would login through the website everytime and I don't know how to check the ifLoggedIn() status other than through accessing the domain through a dummy request and checking if a 401 is returned. Is there some way out for this as well ?

looseseal_90
  • 98
  • 1
  • 9

1 Answers1

0

Even if you use oauth, in the google samples it still saves the tokens in localStorage. Chrome storage is not encrypted but the only way to get to it is by having access to the machine (physical or by malware) in which case you can't do much. Even if it were encrypted, malware could reverse eng. it since the keys are in the client. The only encrypted area currently is chrome.sync but the user has to enable it plus it seems more dangerous to me. Anyone that hacks into your chrome password could login to chrome from another machine and receive the encrypted sync data. That's worse because it doesnt require malware or physical access to that particular device.

Zig Mandel
  • 19,571
  • 5
  • 26
  • 36
  • I understand, is there some sort of a best practice that's followed in such cases ? – looseseal_90 Nov 25 '13 at 16:07
  • not that im aware of. for security implications see see http://stackoverflow.com/questions/3718349/html5-localstorage-security/3719435#3719435 – Zig Mandel Nov 25 '13 at 16:16