admin管理员组

文章数量:1279125

I'm making a chrome extension that requires fetching an xml file from a secure server.

I'm currently using XMLHttpRequest() to make a call to the server

https://username:[email protected]

which returns an xml object that I can parse and display. I want this extension to be available for more than just my hobby use, so it needs an options page to set and store the username and password.

How should I store the user password in chrome so that it is secure? chrome has a localStorage global for each extension that allows extension authors to store data, but it is stored in plain text. it doesn't allow extensions to access the 'remember my password' storage(with good reasons).

and is there a more secure way to do http auth? My current way of doing things requires passing the username/password in plain text in the url each time the function is called, even if the the authentication session hasn't expired.

I'm making a chrome extension that requires fetching an xml file from a secure server.

I'm currently using XMLHttpRequest() to make a call to the server

https://username:[email protected]

which returns an xml object that I can parse and display. I want this extension to be available for more than just my hobby use, so it needs an options page to set and store the username and password.

How should I store the user password in chrome so that it is secure? chrome has a localStorage global for each extension that allows extension authors to store data, but it is stored in plain text. it doesn't allow extensions to access the 'remember my password' storage(with good reasons).

and is there a more secure way to do http auth? My current way of doing things requires passing the username/password in plain text in the url each time the function is called, even if the the authentication session hasn't expired.

  • javascript
  • authentication
  • xmlhttprequest
  • password-protection
  • google-chrome-extension
Share Improve this question edited Dec 25, 2009 at 7:49 Charles Ma asked Dec 25, 2009 at 7:13 Charles MaCharles Ma 49.2k22 gold badges91 silver badges101 bronze badges
Add a ment  | 

2 Answers 2

Reset to default 11

The problem with asking for a key is that it means that you'll have to prompt each time at startup (if you store the key, you have the same problem). This may be an OK tradeoff if what you're protecting is especially sensitive.

In general, Chrome takes the philosophy of trusting the OS to protect the user's profile where this data is stored, so if you use local storage to store passwords, it's no different than what Chrome is doing today with password autofill, browser history, etc.

An idea: ask the user for a key, which you can use to symmetrically encrypt the values before putting them in localStorage. You could also generate a unique key per client based on certain unique aspects of his machine/browser/etc.

本文标签: javascriptHow should I securely store passwords and use http auth in a chrome extensionStack Overflow

版权声明:本文标题:javascript - How should I securely store passwords and use http auth in a chrome extension - Stack Overflow 内容由网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://www.betaflare.com/web/1741263576a2368050.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。