|
|
|
|
|
|
by szmarczak
3 days ago
|
|
|
> isn't available in all cases Which ones? Websites that ship no JavaScript? All browsers support this. > can in some cases completely break sessions Or you can just remove local storage from window and have it just for yourself, which seems what Discord is doing as well. Attackers cannot use local storage because there is no local storage on the window object. > A separate attack vector for the same problem It's not exactly the same problem. The example you mentioned is a footgun because you don't vendor your dependencies. Deliberately giving someone else access to your website is an issue in itself. |
|
|
The mitigation is rough on systems where SIGKILL happens early and often. Presumably this is why Discord doesn't do this on mobile. You switching out of the app has a much higher likelihood of that happening than on other platforms. You can't rely on onunload ever getting a chance to run
This also has barely anything to do with local storage, you could do the same for cookies. But with cookies, the browser blocks JS from getting your tokens at all if you use HttpOnly and don't leak it in responses or whatnot, so you don't need to (though you certainly can delete window.cookies if you want as well)