localStorage 保存对象而无法读取其内容?
我发现了 HTML5 很好的“localStorage”功能。据我了解,它只允许保存字符串,因此我们还需要使用 eval()/JSON 来保存对象/函数。
现在我想知道是否可以保存一个可以用 eval() 执行但无法读取的字符串。
所以我只想使用 localStorage.setItem 一次,完全禁用 localStorage.getItem 并将其替换为“localStorage.evalItem”之类的内容。
这将是对抗 XSS/MITM 的安全方法(在保存函数之后)。
编辑:
详细信息:这个想法是保存类似于以下内容的内容:
function aes_encode(string) {
var salt='unique_salt';
// aes encoding...
return salty_encoded_string
}
在访问者端的非(源)可读存储主机中。
由于为每个访问者创建一次唯一的盐,因此可以验证客户端数据。
但正如 James 和 nwellcome(谢谢!)所说,避免阅读源代码是不可能的。
我认为否决是不正确的,还是问题如此不清楚?!
I found the nice "localStorage" function of HTML5. As I understood it only allows to save strings so we need to use eval()/JSON to save objects/functions as well.
Now I want to know if it is possible to save a string that can be excecuted with eval() but can't be read.
So I want to use localStorage.setItem only one time, disable localStorage.getItem completly and replace it with something like "localStorage.evalItem".
This would be a safe way against XSS/MITM (after the functions have been saved).
EDIT:
Details: The idea was to save something similar to:
function aes_encode(string) {
var salt='unique_salt';
// aes encoding...
return salty_encoded_string
}
in a non (source) readable storage hostet at the visitor side.
And as the unique salt is created once for every visitor it would be possible to verify the client data.
But as James and nwellcome (thx!) said its not possible to avoid reading the source.
I don't think downvoting is correct or was the question so unclear?!
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
根据经验,为了防止 XSS,不要信任来自客户端的数据。
这包括本地存储中的任何内容。 LocalStorage 没有像 cookies 那样的 HTTPOnly 标志,因此 Javascript 无法访问它。即使确实如此,用户也可以使用调试工具对其进行修改。因此,我警告不要对从 localStorage 获取的任何内容使用
eval()。我鼓励您使用 JSON sans eval 来读取 JSON 对象,而不是使用它根本就没有功能。通过使用适当的缓存和 离线应用程序。顺便说一句,你描述它的方式
所以我不相信你的方法可以阻止任何人阅读,如果它可以评估。
As a rule of thumb, to prevent XSS, don't trust data coming from clients.
This includes anything in local storage. LocalStorage does not have an HTTPOnly flag like cookies to make it inaccessible to Javascript. Even if it did, the user could use a debug tool to modify it. For this reason I would warn against using
eval()on anything you get from localStorage. I encourage you to use JSON sans eval to read JSON objects and to not use it for functions at all. You should be able to accomplish anything you would be able to by putting functions in localStorage by instead using appropriate caching and offline applications.As an aside, the way you described it
So I don't believe your approach could prevent anyone from reading if it could eval.