5

If I set localStorage item then StorageEvent is firing for all same-domain windows except current.

If I raise StorageEvent programmatically then StorageEvent is firing only for target window.
Code example:

var evt = document.createEvent('StorageEvent');
evt.initStorageEvent('storage',false,false,'key','oldValue','newValue',
                  'http://example.com',window.localStorage);
window.dispatchEvent(evt);

Can I modify the code example to simulate behaviour from window.setItem

Cœur
  • 37,241
  • 25
  • 195
  • 267
mlosev
  • 5,130
  • 1
  • 19
  • 31
  • Ah... that's an old question with no other activity than spelling... Well anyway, if someone else comes to this, Why do you want to do this? Can't you simply `setItem` directly? Beside, I think the only way this could be possible would be to have gained access to all the different pages where this event should happen, might be possible in an automated test case, but almost impossible to make something bullet-proof. – Kaiido Apr 02 '18 at 01:51
  • @Kaiido In order to transfer data from one tab to another, for example, a login token. See https://stackoverflow.com/questions/20325763/browser-sessionstorage-share-between-tabs for a discussion. That solution requires the value to be stored in session storage, solely for the purpose of generating the event, with a resulting loss of security. If it were possible to generate the event programmatically, then that solution would be more secure. Its is unclear to me why this is not possible. – dbp Dec 30 '22 at 20:35
  • @dbp for this use a BroadcastChannel. – Kaiido Dec 31 '22 at 01:10
  • @kaiido if you want to implement broadcast channel behaviour in browsers that do not support it. – dbp Dec 31 '22 at 05:17
  • @dbp but all up to date browsers do support it. Certainly if you care about security you don't need to support older browsers since these would not be safe to use on the web anyway. And to polyfill BroadcastChannel we indeed did use `localStorage` and the `StorageEvent`, but there was no need to "only fire" the event, we just did set an actual new value in the storage. – Kaiido Dec 31 '22 at 09:18
  • @kaiido don't tell my users what browser to use. It depends on whether the data is sensitive or not, as to whether putting it in storage is a good idea. I hope that the polyfill documents this risk. I do not have anything at stake in this, but I do wonder why one cannot programmatically generate storage events. – dbp Dec 31 '22 at 17:22
  • But why would you keep it in the storage? Just remove it once emitted. And yes if the data is sensitive you should tell them that they're not safe using outdated browsers. You cannot fire storage events on other browsing contexts because you don't have access to the targets. – Kaiido Jan 01 '23 at 01:02
  • @kaiido the data is at risk when it is in storage, for however long. – dbp Jan 01 '23 at 18:37
  • @dbp No it's not. What makes you think so? You clearly have some misconception about the threats you've to deal with. Once again, an out of date browser (at the level of not supporting BC) is far more dangrous than using the Storage API. – Kaiido Jan 01 '23 at 19:37

1 Answers1

-2

You can create an iframe pointing to same origin (about:blank qualifies as such) and set a localStorage value in its contentWindow to get the event firing on any other window pointing to that same origin and listening to storage events:

window.addEventListener('storage', function(e) {console.log('storage event', e)});
iframe = document.createElement('iframe');
iframe.src = 'about:blank';
document.body.appendChild(iframe);
iframe.contentWindow.localStorage.setItem('test', 'value1');

Output:

storage event 
StorageEvent {
  isTrusted: true,
  key: "test",
  oldValue: null,
  newValue: "value1",
  url: "about:blank",
  …
}
Lucas Tomas Casas Arregui
  • 11
  • 1