HTML and CSS Reference
Because of the potential for DNS spoofing attacks, you cannot guarantee that a host
claiming to be in a certain domain really is from that domain. To mitigate this and keep
your app secure, you can use TLS ( Transport Layer Security ) for your pages. TLS and its
predecessor, Secure Sockets Layer ( SSL ), are cryptographic protocols that provide com‐
munication security over the Internet. Pages using TLS can be sure that only the user,
software working on behalf of the user, and other pages using TLS that have certificates
identifying them as being from the same domain, can access their storage areas.
Web Storage, both localStorage and sessionStorage , is not secure and is stored in
plain text with no way to encrypt. If you're worried about data security, don't use local
Storage . There are solutions like JCryption ( http://www.jcryption.org ) for those un‐
willing to buy SSL certificates or with hosting providers who do not support SSL. It's no
replacement for SSL, because there is no authentication, but the jCryption plug-in offers
a base level of security while being very easy and quick to install.
able to man-in-the-middle (MITM) attacks, so it is not a recommended
practice for storing sensitive data.
Within certain browsers, while the user is running in private or incognito browsing
modes, your application will get an exception when trying to store anything in Web
Storage. Every app that uses localStorage should check window['localStorage'].se
tItem for a rising QUOTA_EXCEEDED_ERR exception before using it. For example, the
problem in Figure 6-3 is that the window object still exposes localStorage in the global
namespace, but when you call setItem , this exception is thrown. Any calls to .remov
eItem are ignored.
Figure 6-3. Error when accessing localStorage
Safari returns null for any item that is set within the localStorage or sessionStor
age objects. So even if you set something before the user goes into private browsing
mode, you won't be able to retrieve until they come out of the private session.