I am writing an application where most of the state is stored on the client side. The state is somewhat private information, so I would like to keep it on the client side. There are some strict policies that forbid this information ever reaching my server. Until now I used localStorage and it was a perfect solution.
Unfortunately it turns out Safari has some issues with localStorages and iframes (1, 2, 3). If I use cookies the browser will send them to the server which is not acceptable. All the stored data is managed using javascript, no http Set-Cookie header is used.
The basic usecase is the following: The application has a "master" page in domain A, on which the user can change his settings, and there is a page in an other domain (B), which has an iframe pointing to some special page in domain A, and uses postMessage and onmessage to exchange some information. The master page of domain A and the iframe embedded in domain B must share some storage to operate.
Any ides on this?
EDIT 1
One idea is the following: Ask the user for a password in the iframe and on the "master" page too, and use that password to encrypt the private information. The encrypted private info can be stored in cookies, as my server doesn't have the users password. This is the best solution so far, but is uncomfortable for the users.
3 Answers
Answers 1
According to this post You can use
window.parent.postMessage("Hello From IFrame", "*"); in combination with an event listener in the parent frame
window.addEventListener ("message", OnMessage, false); to cross-domain communicate from the child frame to the parent.
You can then use local storage in the parent frame to keep your shared information as before.
Answers 2
You can use session storage instead if local storage doesn't work well, since session storage is not being sent to server.
But the limitation of using session storage is you will not be able to share data between tabs on same domain, inside a single tab it will work fine.
Answers 3
Not too sure, but perhaps you are looking for a solution that:
- No asking for password for encrypting private data
- Permanent password for each user to encrypt the private data (next time user comes back, still using the same password)
How about using the user's login password to encrypt the data?
Or generate a token from server and store in client side as well. From server when send back the data to client, check the token and encrypt the data based on the token. Try to build multiple type of token, each type different kind of encryption.
Other solution
Using the secure cookie + http strict transportation. You don't need to change anything, just implement them based on your back-end. You can read more from here: https://www.owasp.org/index.php/SecureFlag https://www.owasp.org/index.php/HTTP_Strict_Transport_Security
Hope it helps.
0 comments:
Post a Comment