Geek Answers Handbook

How should I safely store passwords and use http auth in chrome extension

I am making a chrome extension that requires retrieving an XML file from a secure server.

I am currently using XMLHttpRequest () to make a call to the server

https://username:password@mydomain.com

which returns an xml object that I can parse and display. I want this extension to be available not only for my hobby, so he needs a settings page to configure and save his username and password.

How to store user password in chrome so that it is safe? chrome has a localStorage global for each extension, which allows extension authors to store data, but is stored in plain text. it does not allow extensions to access the store "remember my password" (for good reason).

and is there a safer way to do http auth? My current way of doing things requires passing the username / password in plain text in the URL every time the function is called, even if the authentication session has not expired.

+7
javascript authentication google-chrome-extension password-protection
source share
2 answers

Idea: Ask the user to enter a key that you can use to symmetrically encrypt values ​​before placing them in localStorage. You can also create a unique key for each client based on certain unique aspects of its machine / browser, etc.

+3
source

The problem with requesting the key is that it means that you will need to specify it every time you start it (if you store the key, you have the same problem). It can be a compromise between OK if what you protect is especially sensitive.

In general, Chrome adheres to a philosophy of trust in the OS to protect the user profile where this data is stored, so if you use local storage to store passwords, this is no different from what Chrome does today with auto-complete password, browser history, etc. .d.

+11
source

More articles:


All Articles