History security question

Question

History security question

adaniello opened this issue 6 years ago · 3 comments

Hi,
i tried history support in intercooler and noted that in local storage you save also content but i think that this represents a security issue.

Is it required? Can i remove this?

Thanks,
Achille

Answer 1 · 2019-01-03T18:15:02.000Z

Hi Adaniello,

Local storage has the same security model as cookies, so it is no worse than that. If it concerns you, though, then history support is probably not worth it for your app.

Answer 2 · 2019-01-03T22:15:43.000Z

Thanks for feedback, but maybe we should to add a little note about this point in documentation (eg. "not use history if you has sensitive information in your content..." as already done with "This functionality is currently experimental...").
What do you think about?

Answer 3 · 2019-01-04T16:36:42.000Z

Well, the browser is also caching all that sensitive information locally, regardless of how you're using Intercooler. It's not clear to us how Intercooler's history mechanism introduces a new security issue, so we're not sure why to document it.

If your app is handling extremely sensitive data, then I hope you will hire a security expert to do threat modeling and penetration testing of your whole system. If they trace any issues to Intercooler, please let us know!