nostr:npub12262qa4uhw7u8gdwlgmntqtv7aye8vdcmvszkqwgs0zchel6mz7s6cgrkj
if I make a PWA client, how can I securely store a private key so that it's not susceptible to simple XSS attacks?
localStorage is not secure enough for something so sensitive
Discussion
Have 2 domains. app.example and sign.app.example
On sign.app.example, it acts as an in browser signer for app.example in a hidden iframe (you do not need users to visit it directly) while always validating the parent is app.example.
If app.example is broken they can’t break the sign subdomain
Curious why you'd want the PWA to store private keys in the first place?