Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

For your app, maybe.

But most apps cannot be used offline at all, and instead they use localstorage as another place that can store tracking cookie. So as a user, I fully support this change, because there should not be a loophole like this.



There are many legit uses for localStorage.

Storing JWTs, game state data, etc.


I have an old HTML5 game I made that stores a high score in localStorage. I might have to figure out an alternative solution later down the road.


why to store JWT in local storage. Localstorage can be accessed by CDN scripts also. Please don't put risk on ur users data.


Localstorage is limited to a domain, a common security model in the browser also used by cookies, and prevents cross-origin leaks... (unless a developer volunteers to expose the data via postmessage whose destination can also be limited to specific origins).

This is also why it is important to load your apps JS on your domain or same-origin and not offloaded to a 3rd party server which you might not control (libraries like jQuery CDNs and whatnot are still a minor risk, particularly from a privacy perspective, but not as bad, although I never saw the point with the large variety of versions).


It's sad there are people not aware that cross-origin policies are actually helping them. They are the most misunderstood, hated policies.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: