tomayac
commented
1 year ago Especially for storage of keys, is this more a question for the Web Crypto API, specifically, the Security considerations for authors section?
Closed vairaselvam closed 1 year ago
tomayac
commented
1 year ago Especially for storage of keys, is this more a question for the Web Crypto API, specifically, the Security considerations for authors section?
a-sully
commented
1 year ago The OPFS (a.k.a. "Bucket File System") is "private" in the same way that IndexedDB is. It cannot be accessed by other websites/apps and "it is not intended that the contents are easily user accessible", though, like IDB, a sufficiently motivated user may be able to find the "files". Meanwhile, extensions can access it using Content Scripts (as the OPFS explorer does)
Reading the documentation of OPFS and seeing the statement not visible to other users, I felt happy and thought that it is more secured to store protected data as files such as Keys, tokens etc. But after seeing the OPFS Explorer and not persistent nature it feared about adding it to the application.
My suggestion is to make it to more secured to access only by the domain app and not accessible to any other apps/ users / even chrome extension. Thanks.