HTML and CSS Reference
In-Depth Information
Because of the potential for DNS spoofing attacks, you cannot guarantee that a host
claiming to be in a certain domain really is from that domain. To mitigate this and keep
your app secure, you can use
TLS
(
Transport Layer Security
) for your pages. TLS and its
predecessor,
Secure Sockets Layer
(
SSL
), are cryptographic protocols that provide com‐
munication security over the Internet. Pages using TLS can be sure that only the user,
software working on behalf of the user, and other pages using TLS that have certificates
identifying them as being from the same domain, can access their storage areas.
Security
Web Storage, both
localStorage
and
sessionStorage
, is not secure and is stored in
plain text with no way to encrypt. If you're worried about data security, don't use
local
Storage
. There are solutions like JCryption (
http://www.jcryption.org
) for those un‐
willing to buy SSL certificates or with hosting providers who do not support SSL. It's no
replacement for SSL, because there is no authentication, but the jCryption plug-in offers
a base level of security while being very easy and quick to install.
Be aware that any form of JavaScript encryption is intrinsically vulner‐
able to man-in-the-middle (MITM) attacks, so it is not a recommended
practice for storing sensitive data.
Private Browsing
Within certain browsers, while the user is running in private or incognito browsing
modes, your application will get an exception when trying to store anything in Web
Storage. Every app that uses
localStorage
should check
window['localStorage'].se
tItem
for a rising
QUOTA_EXCEEDED_ERR
exception before using it. For example, the
problem in
Figure 6-3
is that the
window
object still exposes
localStorage
in the global
namespace, but when you call
setItem
, this exception is thrown. Any calls to
.remov
eItem
are ignored.
Figure 6-3. Error when accessing localStorage
Safari returns null for any item that is set within the
localStorage
or
sessionStor
age
objects. So even if you set something before the user goes into private browsing
mode, you won't be able to retrieve until they come out of the private session.
