0

Is it possible for an included script that is hosted on a different domain to access the local storage of the current domain? This still remains unclear for me after reading https://developer.mozilla.org/de/docs/Web/API/Window/localStorage

For example: mydomain.com includes <script src="https://www.youtube.com/iframe_api" async></script>. Can this included script access the localstorage from mydomain.com?

Simon Ferndriger
  • 4,455
  • 6
  • 28
  • 53

1 Answers1

1

Scripts you include in your page using <script> can definitely access Local storage, they are running in same origin as your other scripts. This is also the reason behind advisories on not to store authentication tokens inside Local storage, because an injected script using an XSS attack can read and write to the Local storage.

This is however different for an <iframe> since they have their own origin.

Positivity
  • 5,406
  • 6
  • 41
  • 61
  • Thank you. You nailed it, since I was intending to store a session id in localstorage. Since I have no backend available, is there a way to store a session id? Can localstorage be configured such that only scripts LOADED from the same domain can access it? – Simon Ferndriger Jul 30 '22 at 20:09
  • Would it be save if EVERY external script would be self-hosted (and checked for localstorage access), such that it would be impossible for another script to be injected? – Simon Ferndriger Jul 30 '22 at 20:15
  • @SimonFerndriger I don't believe this is possible. the best practice is to store it inside an http-only cookie. Regarding self-hosted scripts, you should not only check for localstorage access but also including a third script or any other type of executing a dynamic piece of code! (this self-hosed script can download and execute another remote script) – Positivity Jul 30 '22 at 20:22
  • 1
    @SimonFerndriger maybe this answer gives some insight on the security side https://security.stackexchange.com/a/15193/107894 – Positivity Jul 30 '22 at 20:27