I sometimes use web storage(sessionStorage) to store temporary data when I build SPAs. (I know I shouldn’t store any sensitive information in web storage)
Web storage can restrict to access its data by same-origin policy, which means if I’d like to restrict it for security reasons, I have to use an another (sub)domain, which seems to be costs for developers.
If a site has XSS in a page of its domain, all stored data in web storage can be stolen like this.
[...new Array(1000)].map((_, i) => localStorage.key(i)).filter(k => k).forEach(k => console.log(k, localStorage.getItem(k))) // or [...new Array(1000)].map((_, i) => sessionStorage.key(i)).filter(k => k).forEach(k => console.log(k, sessionStorage.getItem(k)))
In addition to that, web storage can’t specify expires to the data so it;s difficult to store only necessary data.
So I think it would be nice if web storage has a feature that is able to restrict to access its data by path or expires as well as Cookie. The same might apply to IndexedDB.
Are there already any discussions about this? I’ve found it.
Alternatively, should I just use CSP?