Token Management and XSS considerations
gerneio opened this issue · 2 comments
Similar to #62, but that issue hasn't received a response in 7 years. If I understand correctly, according to the SDK readme, the SDK uses Browser LocalStorage API by default to store access and refresh tokens. I believe Auth.setData is what is responsible for setting this token data in localStorage, which is used by Platform.login and Platform._refresh.
So I just want to confirm that my above suspicions are correct, and if so are there any concerns with XSS based attacks? And if so, any recommendations for preventing these sorts of attacks for client-side only web apps? A lot of what I have researched indicates to 1) store with encoding if possible, or preferably 2) use cookies over localStorage for storing tokens, however I'm not sure that applies to a library/integration such as this since it's just a JS SDK that we can consume in our web apps (assuming no server back end).
Any recommendations for client-side only web apps? Does PKCE safe guard us from this sort of attack? However I believe that is also stored in localStorage.
Hi @gerneio Sorry for missing the message. And thanks for the feedback.
Yes, token and PKCE verifier are both saved in localStorage. But I don't think localStorage should be responsive for XSS. The page should be responsive to avoid XSS. If page is vulnerable to XSS, localStorage and cookie both are not safe. With XSS, all data can be read.
This issue has been inactive, so I am closing it. If you think it still needs attention, please feel free to reopen it.