HTML and CSS Reference
In-Depth Information
Client-side storage is a big bonus for web applications that need to work offline and boost performance. Many of
these applications, however, store personal information about users and therefore you should carefully consider how
secure this data is on the client.
The job of securing data once it has been saved falls more in the realm of browser vendors because as a developer,
you don't really have much control over what's “under the hood.” One of the best things that browser vendors can
do, and in most cases are doing, is to ensure that when you delete data from LocalStorage, it is also promptly deleted
from the underlying system storage (such as the hard drive).
Cross-Directory Attacks
Assigning datastores to individual domains does wonders to stop websites from accessing each other's data. It falls
down, however, when it comes to websites like the now deceased geocities.com that allowed people to create their
own customized pages. All these pages were under the same domain name and, therefore, would have shared the
same datastore on the client. This means that everyone could access, change, or delete the data stored by everybody
else's pages. This is known as a
cross-directory attack
. At the moment, there is no way to protect against it. It is re-
commended that you don't use client-side storage if you are building an application that enables users to create cus-
tomized web pages under the same domain.
Summary
As HTML5 matures and more companies come on board, we are going to see more and more web applications lever-
age both the performance boost and added offline capabilities that the new storage APIs provide. Google, for ex-
ample, has already taken advantage of these APIs to build a version of Gmail that works offline.
In this chapter, you learned how to use the new storage APIs in order to save data on the client-side rather than send-
ing it up to a server to be stored in a database. You updated the Joe's Pizza Co. website, adding some JavaScript code
that saves users' contact details when they first submit the bookings form and then automatically populates the
Name, Phone, and Email fields for them when they use the form in the future.
You also explored some of the privacy and security concerns surrounding client-side storage and learned what
browser vendors have done to make client-side storage more secure.
Chapter 13 introduces you to the GeoLocation API. Although this is not strictly part of HTML5, it's awesome—and
so I have included it in this topic. You learn all about how to use the API to pinpoint your user's location and how
you can use the information to personalize your websites.
