In modern web development, there are several storage options available in browsers
base on browser implementation
accessToken/sessionToken
In Server, it is a common pratice to protect sensetive data
ctx.setCookie('token', token, {
httpOnly: true,
secure: true,
path: '/',
sameSite: envs.NODE_ENV === 'production' ? true : 'none',
});
localStorage/sessionStorage
cookies
non sensitive data (user config)
sensitive data (token)
Source URL | Compared URL | Same Origin? | Reason |
---|---|---|---|
http://example.com | http://subdomain.example.com | No | Different subdomains |
https://example.com | http://example.com | No | Different protocols (https vs http) |
http://example.com:80 | http://example.com:8080 | No | Different ports (80 vs 8080) |
http://subdomain.example.com | http://another.example.com | No | Different subdomains |
http://example.com/abc | http://example.com/bcd | Yes | Same protocol, subdomain, and port |
content script
background script
execute in individual tabs
execute in background
// content script
const allLocalStorage = {};
for (let i = 0; i < localStorage.length; i++) {
const key = localStorage.key(i);
allLocalStorage[key] = localStorage.getItem(key);
}
const domain = new URL(window.location.href).hostname;
chrome.storage.local.set({ [domain]: allLocalStorage }, function() {
console.log(`LocalStorage for ${domain} is saved to chrome.storage.local`);
});
Access your localStorage and save it somewhere for easy retrieval and future use
Even we can hijack web API
((win) => {
const nativeLocalStorage = win.localStorage;
win.nativeLocalStorage = nativeLocalStorage; // keep the original usage
class MyLocalStorage extends Storage {
setItem(key, value) {
const secret = encrypt(value, passphrase);
nativeLocalStorage.setItem(key, secret);
}
getItem(key) {
const secret = nativeLocalStorage.getItem(key);
return secret ? decrypt(secret, passphrase) : null;
}
}
const myLocalStorage = new MyLocalStorage();
// Assign the newly created instance to localStorage
Object.defineProperty(win, 'localStorage', {
value: myLocalStorage,
writable: true,
});
win.localStorage = myLocalStorage;
console.log("window.localStorage", win.localStorage)
})(window);
localStorage
Web API
developer console
File(leveldb)
localStorage
Web API
developer console
File(leveldb)
encryption data
encryption data
getItem method
{
"name": "Permissions Extension",
...
"permissions": [
"activeTab",
"contextMenus",
"storage"
],
"optional_permissions": [
"topSites",
],
"host_permissions": [
"https://www.developer.chrome.com/*"
],
"optional_host_permissions":[
"https://*/*",
"http://*/*"
],
...
"manifest_version": 3
}