LocalStorage is an option that comes with tradeoffs. Whether it is better for a given use case or not is going to come down to the specifics. We assume that we need to persist state between the server and the client. This means that our two choices to identify each request are a token stored in LocalStorage or one stored as a cookie. One is more vulnerable to XSS the other to CSRF. Personally I'm generally more concerned about CSRF, but your mileage may vary.
Yah, you can pick either. I personally feel like preventing CSRF is a lot simpler since it's built into almost every web framework by default nowadays. There's only way to CSRF a website but a million ways to XSS it :(
Well, I find I'm rarely in a place where I'm too concerned about allowing untrusted mobile code into my application. Yes, you can end up with bad actors in things like NPM but an XSS attack is the least of my worries there. And elsewhere it's just a matter of sanitizing user input. Sadly there isn't a silver bullet. Which is why we can't have nice things.
Untrusted input is one vector -- but XSS comes from a lot of places: third-party JS (google analytics, etc.) -- domain compromise, DNS hijacking -- all over. It's significantly harder to prevent.
This article really only discusses the content from a web perspective, if you're doing native mobile stuff it's a whole different story =D
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
LocalStorage is an option that comes with tradeoffs. Whether it is better for a given use case or not is going to come down to the specifics. We assume that we need to persist state between the server and the client. This means that our two choices to identify each request are a token stored in LocalStorage or one stored as a cookie. One is more vulnerable to XSS the other to CSRF. Personally I'm generally more concerned about CSRF, but your mileage may vary.
Thanks for the comment!
Yah, you can pick either. I personally feel like preventing CSRF is a lot simpler since it's built into almost every web framework by default nowadays. There's only way to CSRF a website but a million ways to XSS it :(
Well, I find I'm rarely in a place where I'm too concerned about allowing untrusted mobile code into my application. Yes, you can end up with bad actors in things like NPM but an XSS attack is the least of my worries there. And elsewhere it's just a matter of sanitizing user input. Sadly there isn't a silver bullet. Which is why we can't have nice things.
Hey!
Untrusted input is one vector -- but XSS comes from a lot of places: third-party JS (google analytics, etc.) -- domain compromise, DNS hijacking -- all over. It's significantly harder to prevent.
This article really only discusses the content from a web perspective, if you're doing native mobile stuff it's a whole different story =D