Closed jesster2k10 closed 5 years ago
dan-gamble
commented
5 years ago Access tokens that are already in the settings_schema or was embedded in the Javascript by doing {{ settings.access_token }} have always been exposed. Just in the Javascript instead of the DOM.
There's no real way for you to hide access tokens truly if you're going to be storing them in settings. (As far as i know)
justinmetros
commented
5 years ago Dan is correct and it's important to know that liquid renders to HTML so anything in liquid is HTML. And anything you have in HTML is inherently insecure.
For things like an instagram access token - thousands ( millions? ) of sites use that and you should be fine. It doesn't compromise your account with Instagram. If your token is abused, Instagram will shut it down and you make a new one. This will happen often - even without abuse ( Instagram is a little B with their access tokens ).
Pixel Union makes it easy to generate new tokens.
jesster2k10
commented
5 years ago Ok, great thanks for the response. I've already implemented it into my site. There's no reason for concern since it was already exposed before.
Thanks for the comemnt!
lock[bot]
commented
5 years ago This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.
Problem
How exactly would you pass senstive data (e.g. Instagram Access Token) from the settings_schema (Liquid) to Slate's JS without exposing it to the DOM?
I know it's possible to use data attributes on the HTML object or global variables but this exposes the access token.
Replication steps
N/A
More Information
N/A