- From: Nicholas Zakas <nzakas@yahoo-inc.com>
- Date: Tue, 30 Mar 2010 11:55:12 -0700
Hi everyone, In attempting to use localStorage at work, we ran into some major security issues. Primary among those are the guidelines we have in place regarding personalized user data. The short story is that personalized data cannot be stored on disk unless it's encrypted using a company-validated encryption mechanism and key. So if we actually wanted to use localStorage, we'd be forced to encrypt each value as it was being written and then decrypt each value being read. Because of this tediousness, we opted not to use it. Another major issue also relates to the persistence of the data in localStorage. Whereas cookies allow you to specify a time at which the data will be removed, localStorage is there more or less forever. It seems like any company that takes the security of its data seriously would run into the same issues, and rather than forcing every company to implement their own version of the same approach, a common native approach would be incredibly useful. With these problems in mind, and talking with a few other interested parties, I came up with a draft proposal for a client-side data storage mechanism that automatically handles encryption, decryption, and data expiration. I'd love to hear what people think: http://www.nczonline.net/blog/securestore-proposal/ -Nicholas ______________________________________________ Commander Lock: "Damnit Morpheus, not everyone believes what you believe!" Morpheus: "My beliefs do not require them to." -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.whatwg.org/pipermail/whatwg-whatwg.org/attachments/20100330/161836e3/attachment.htm>
Received on Tuesday, 30 March 2010 11:55:12 UTC