|
|
|
|
|
|
by jkrejcha
4 days ago
|
|
|
> True. However it's not impossible to mitigate that: https://news.ycombinator.com/item?id=48563286 It's not a perfect mitigation for session stealing, isn't available in all cases, requires custom code to implement, and also can in some cases completely break sessions (unless they have another place where it's stored) > It's a separate attack vector. It's easily mitigated by having a one week back-off before upgrading. (and as I have said already, also affects binary executables) A separate attack vector for the same problem. Which is also not mitigated by dependency back-off. If you load a 3rd party script into your site, you're relying on that 3rd party not getting compromised. For example, if I have a page <script src="https://example.com/accel.js" /> and if "accel.js" gets maliciously replaced, it can read all of the data out of local storage. No updates on your end required. |
|
|
Which ones? Websites that ship no JavaScript? All browsers support this.
> can in some cases completely break sessions
Or you can just remove local storage from window and have it just for yourself, which seems what Discord is doing as well.
Attackers cannot use local storage because there is no local storage on the window object.
> A separate attack vector for the same problem
It's not exactly the same problem. The example you mentioned is a footgun because you don't vendor your dependencies. Deliberately giving someone else access to your website is an issue in itself.