1

I have a JavaScript Progressive Web App on a dedicated domain. I'd like to host it on a different static server that only gives me write access to a domain.example/~my_username/*. More importantly, the server has many users and I don't want other users' JavaScript get information stored in my local-forage, since it contains keys that should not be compromised.

Is there a method in local-forage (that uses indexed-db) that allows me to set a path, much like when using cookies?

Moreover, if this is not possible, is there any other storage medium on the client side that would allow me to store encryption keys for local-forage parameters?

Possibly related to https://stackoverflow.com/questions/25013643/is-it-possible-to-use-localstorage-with-context-per-path-like-cookie and https://stackoverflow.com/questions/9742395/scope-of-sessionstorage-and-localstorage

jg6
  • 318
  • 2
  • 12
  • 1
    I wonder why you would need to do that? LocalStorage is completely local to the user (as is localForage), so if a user is logged in you retain their data, wheen they are not (aka expired cookies), you clear any databases you have. Its impossible to leak that way, since it remains on the users device anyway. Just curious why you would need to do this... – somethinghere Apr 01 '20 at 19:51
  • 1
    Maybe by using subdomains? indexdDB is scoped to origin though, and that cannot be modified, further restricted, etc – Josh Apr 02 '20 at 00:26
  • @somethinghere The problem is that I am using shared hosting that works on path prefixes instead of subdomains, meaning multiple apps are hosted on different path prefixes. My app would be on /app123, but someone else's would be on /app456. /app456 would be able to steal client's LocalStorage contents of /app123. I am not using that hosting service anymore, but it would still be useful knowledge, many universities still adopt such personal homepage hosting. – jg6 Dec 13 '20 at 23:47
  • @Josh Of course, subdomains would work. The app in question is now hosted on a dedicated domain, but my educational institution provides me with free hosting on a subfolder/path prefix, so I could use that (SEO does not matter), but other educational institution users have path prefixes on the same origin, so they can steal client's data from my app. Password encryption may be able to work, but that's annoying. – jg6 Dec 13 '20 at 23:49

0 Answers0