You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
At the Denver Elixir meetup, one of the attendees (@RGENT) raised a concern about token security (video link).
In short, the token saved in sessionStorage may be accessed by 3rd party JS dependencies. Suggested mitigations include cookie storage and/or adding content security policy (CSP).
Because these component interact exclusively via WebSockets, cookies may not be an option here. CSP is likely the better solution, though other alternatives may exist.
I don't think that CSP would do much to solve the issue. It's capable of stopping XSS reflection attacks but generally little else. It's also a pain to work with and often not used. In this use case, it falls short of the Secure and HttpOnly cookies in terms of practical security.
Is it possible to teardown and rebuild Websocket connections transparent to the user? If this is the case, then it might be possible to use session cookies via AJAX.
@RGENT Interesting. I read through the Okta blog article about browser storage methods, and it seems like Web Workers would be the solution for this LiveView implementation. Have you dealt with Web Workers for this type of problem?
At the Denver Elixir meetup, one of the attendees (@RGENT) raised a concern about token security (video link).
In short, the token saved in sessionStorage may be accessed by 3rd party JS dependencies. Suggested mitigations include cookie storage and/or adding content security policy (CSP).
Because these component interact exclusively via WebSockets, cookies may not be an option here. CSP is likely the better solution, though other alternatives may exist.
Resources
The text was updated successfully, but these errors were encountered: