Nostr Web Client

Heys devs of Nostr, I have a serious question. If you are not a Nostr dev please repost or tag whomever you feel can help. Thanks in advance.

I am writing my own client. (React PWA) and right now I am dealing with how to store the nsec securely across sessions.

I thought to check how Iris and Snort deal with the issue and found out they both store they in plain text in localStorage.

I am by no means a security expert or a pen tester, but I was under the impression, that storing sensitive data in localStorage leaves the data vulnerable to XSS attacks, which in case of an nsec seems kinda dangerous, as there is no additional level of protection (like a password, 2fa or literally anything else), no way to replace the key and invalidate the old one.

Am I missing something here, or are both apps leaving users vulnerable to XSS attacks?

I myself havent found any better solution that does not require the use of browser extensions (which some browsers do not allow) given how the keys work right now. Does anybody have a decent solution?

Honza Pobořil 2y ago

Can webworker have its storage not accessible by a window? Maybe http-only cookie is readable by webworker? As I know XSS cannot escalate to webworker process.

Reply to this note

Please Login to reply.

Discussion

An Capone 🌗 2y ago

Webworker afaik cannot access cookies at all. Even if it did, it wouldn't have access to secure (http-only) cookies.

It does have access to IndexedDB, but so does the potential attacker. I am not aware of any place that the webworker would have access to and the attacker would not.