This message was deleted.

Thank you! I agree, it is not possible to read localStorage across origins as far as I know. I think the author probably meant an XSS attack? @proud-plumber-24205

Following the assumption that the author meant XSS, then with the very same argument

sessionStorage

and Web Workers would be vulnerable, too, wouldn’t they? Basically, when XSS is possible, you’re screwed anyway 🙂

Pretty much, the only good defense are http only and secure cookies against XSS

So, should the blog post be updated then to clarify the assumptions?

Yes absolutely

👍 Thanks for the chat.

Hi Axel, thank you for pointing this out. Yes, this needs to be changed as it refers to any rogue JS can extract the contents of local storage running on the same origin and pass it along to some other source. cookies that have httpOnly cannot and would require the rogue JS to always still make the same request from that origin. e.g. example.com has rogue JS which steals the session token from localstorage. it can now be used from anywhere. with web workers xss is also possible, as mentioned on OWASP

Storing secrets within the memory of a Web Worker offers the same security guarantees as an HttpOnly cookie: the confidentiality of the secret is protected. Still, an XSS attack can be used to send messages to the Web Worker to perform an operation that requires the secret. The Web Worker will return the result of the operation to the main execution thread.