Home > Enterprise >  Are Svelte Stores accessible from the browser console?
Are Svelte Stores accessible from the browser console?

Time:08-30

I wonder if svelte stores are a good way to store JWT securely. Are the svelte stores secure against XSS attacks?

CodePudding user response:

Stores cannot be "secure against XSS"; either your site is, or it is not. I suspect your question is whether stores could be read in the case of XSS?

If so that depends primarily on how the store is handled. To my knowledge there is no global tracking of stores, so you cannot simply get a reference to all previously instantiated stores (such a mechanism would also leak memory).

Then the question is how your components are instantiated and whether they could potentially expose the store. If you did not intentionally set global state (e.g. window.app = new App(...), etc.) it should be hard or impossible to get to it as Svelte components should not leave references in the DOM.

If malicious code is executing on your site, you probably have other issues to worry about, though.

CodePudding user response:

it's very simple...

If any information is stored by JavaScript, in any way, it is accessible by JavaScript and therefore susceptible to XSS.

Cookies, however, when used with the HttpOnly flag, are not accessible through JavaScript, and are immune to XSS.

  • Related