What vulnerabilities do i face, when coding a web app utilising localStorage, of a user inadvertently or deliberately delete localStorage data?
I'm happy to put a button saying "Delete my data", this is under my control, but are there ways beyond my control that localStorage data may be deleted? Or not used (ie. Incognito mode/private browsing mode)?
Thanks
Anyone can call localStorage.clear() from the console or location bar at any time. It's possible for a bookmarklet to be used to do the same thing.
Treat localStorage with the same volatility you'd treat a cookie. Assume that it can disappear at any time. It's best used for user-settings and temporary data. If a user clears it, be prepared to use default fall-backs or start the process over.
localStorage is editable by the user , it's similar to the cookies .
User can delete / edit it if he wants , so you should make ur tests on server sides ...
here's an example of how angry birds got hacked ...
http://thenextweb.com/apps/2011/05/11/angry-birds-for-chrome-already-hacked-unlocking-all-levels/
var i = 0;
while (i<=69) {
localStorage.setItem('level_star_'+i,'3');
i++;
}
window.location.reload();
Here's what we found a user can do on iPhone IOS4 and iPad IOS4.
Kill Safari
Double tap your "action button", press and hold the safari button that shows up on the bottom. When the circle with an x in the middle shows up, click the x.
Clear the Safari cache
Settings | Safari | Clear cache
Start Safari back up
Bad news - all sites local storage is cleared, not just yours!
Related
hi im using laravel 8 and my software is pos ..
everything working so good but i have big problem ..
thats sometimes the cashier can refresh the page when the customer is gone without save the invoice
..
so what i did is this ..
document.addEventListener('keydown', (e) => {
e = e || window.event;
if(e.keyCode == 116)
{
var is_admin = $("#is_admin").val();
if(is_admin != 1)
{
e.preventDefault();
// this code here will not allow f5 to work
}
}
});
but the cashiers goes to the address bar and hit enter and like that he refresh the page
also sometimes they hit the refresh button beside url bar
so i start chrome in kisok mode in full screen
but the problem thats he can move the mouse to the top of the browser and the url bar will show again and he can do refresh page ..
so the solution for my problem is there any way to set password in chrome when refresh the page or close the chrome or is there any way to start chrome without close bar and url bar in kisok mode
thanks ..
Based on my research I didn't find anything related to setting a password in chrome for closing, instead, I have other solutions that may help you by considering this closing/refreshing issue happens accidentally.
#1st Solution - Closure Extension
https://chrome.google.com/webstore/detail/closure/jjagagcgljmlnihcilbpbfcglnopepjb
a very simple extension that works by locking the current browser tab. Click the toolbar icon or right-click on a page and select “Confirm Closure”. The favicon for the website in the current tab will turn into a padlock.
if the cashier clicked on the refresh button or the closing button a confirmation popup will show up.
#2nd Solution - Disable Close Button
checkout these 5 software that claims to prevent accidental closing of software by disabling the close button
https://www.raymond.cc/blog/prevent-program-closing-disabling-close-button/
#3rd Solution - Saving Draft.
The last solution I have is a workaround you can make by using
window.addEventListener('beforeunload', function (e) {
// saving current invoice in localstorage to be retrieved later
});
// check this answer
// https://stackoverflow.com/questions/13443503/run-javascript-code-on-window-close-or-page-refresh
beforeunload event, so you can save a draft of the current invoice in locale storage before closing the window, but you are should be very aware of how to manage these drafts, when to retrieve them, and when to clean them.
Also, you can use service workers if you choose this kind of solution.
Again, this all about if the cashier accidentally makes this behavior, which I think he must be aware of what he is doing, so you are making your validations as you can to prevent such behavior and make your system as robust as possible, I encourage you to think of this problem in a technical way then you should take the 3rd solution, and for the client just offer him the other 2 solutions which I see they will work well, otherwise, if the client wants to make something wrong in purpose then it will be his responsibility.
On the iPhone's Instagram app browser(in app) if you open a website that includes html inputs of any type, something strange happens.
In the beginning everything is working, but once you tap an input and type something ( and the keyboard is opened), after you close the keyboard you can't click on anything anymore because all buttons/inputs/elements are clickable in a different location than where they showed ( button is showed in the original 100px location but click events are now on 50px).
It looks like after the keyboard opens the whole location calculation is shifted up(because the keyboard pushes the whole body up)
How to even begin to debug such thing ?
Honestly, I've been there. There is no way to debug the in-app browser (you can try on an iphone device mirroring with Chrome in MAC, but you will eventually fail), but I've tried without success.
It turned out that after digging around with similar issues, there was a caching issue and some disabled features with WP ENGINE from my client. They were able to fix it by allowing some parameters on nginx settings and then the In App browser wasn't stucked anymore.
I know every issue is different, but at this time, I haven't found a way to debug the In - App browser.
I can't speak to iOS specifically, but there definitely are ways to remote debug things.
My go-to for stuff like this (speaking from experience of browsers on gaming consoles) is Weinre: https://people.apache.org/~pmuellr/weinre/docs/latest/Home.html You get something similar to Chrome Developer Tools, but it works over a Socket.IO connection.
Another tool I like to use is Fiddler. While it won't help you with your DOM issues, if you ever need to debug network stuff on oddball devices, it's perfect. It serves as a proxy server and can intercept all your connections, including HTTPS. https://www.telerik.com/fiddler
Turns out, that it's a fixed position and it's not supported, which means when keyboard is closed, the system will push back the whole view but click events stay up (because it's being pushed up when you open a keyboard).
So instead of make it an absolute modal, which has it's own problem, we keep it fixed, BUT, we do the pushing up/down by our own.
We could just push the screen back down on input unfocused, but if user click the next field you get unwanted behavior, so we create a delay based machine like so :
var isfocused=0;
var focusTimer=0;
$("input").blur(function() {
isfocused=0;
focusTimer = setTimeout(focusDone, 150);
});
$("input").focus(function(){
isfocused=1;
});
function focusDone(){
if(isfocused===0)
$(window).scrollTop(0,0);
clearTimeout(focusTimer);
}
This works great on social browsers, with fixed positioned modals that has inputs inside them.
So i've been banging my head against the wall trying to figure this out, and it's about time I ask for help. I have a flash audio recorder that is displaying a popup to the user asking them to allow microphone access using:
AS3 --
Security.showSettings(SecurityPanel.PRIVACY);
Now, on chrome it works perfect! Everything shows up correctly and looks like this:
http://postimage.org/image/6e6ldfmpj/
Great. Now the issue is, on Firefox (and I believe IE9) it looks like:
http://postimage.org/image/mqp1kmcjj/
Notice how there are only 3 tabs in the second one (Firefox). Well, the second tab over is Privacy and allows you to "allow" or "deny" our website from accessing your mic. So it's a bit of an issue that that tab is not even visible... Any thoughts on that? I can't seem to find anywhere where anyone has had that same flash dialog box pop up with only 3 tabs.
Thanks in advance!
You can use [Allow][Deny] dialog:
It appears whenever you access microphone/camera by attaching them to NetStream.
Related question on stackoverflow:
allow deny remember flash security panel
As Sunil D. mentioned above, Firefox will not show some tabs in private/incognito mode. The problem is user can turn it on not only by opening new private window, but also by changing some regular Firefox preferences. Go to Firefox options, select "Privacy" tab and search for "History" group. There you will see a dropdown with "Firefox will:" label. There you can select "Never remember history" item and browser will show you a small tip:
Firefox will use the same settings as private browsing, and will not remember any history as you browse the Web.
Then your browser will be restarted. Further research revealed that Firefox really turns private mode on after such manipulations. Sunil D. and Jordan Reiter were both right - the problem can happen with users in private mode and problem can be solved by reinstalling Firefox with all it's configurations (including that history setting). Of course, it's much easier to ask users to change that setting. Also private mode detection with JavaScript can help to inform user about this expected problem.
this is insanely annoying problem:
AS3 full screen application based on ADOBE FLEX 4, text field. User types something in text field, and then starts clicking backspace many many times to remove what he just wrote, and for some reason, instead of removing characters from text field it tells browser to GO BACK and user navigates away. Why?! Please, please help, this is so terrible. My users are losing important unsaved this is data while using my application!
i am using safari browser
PLEASE HELP.
Wow, this is terrible, I am so irritated, it happens every single time
It is possible that the focus is lost from your text field when hitting the backspace multiple times (check if you are firing some events on the text field that may cause this), which causes the main window to take focus and trigger 'Back' on the browser.
The root of the problem is that the browser carries out keyboard shortcuts REGARDLESS of the flash app having the focus or not. From what I heard this problem does not exist on Safari's for Mac, only Safari for Windows.
I would check to see what browser you are in and then create a popup saying you this app does NOT work on Safari browser ON windows.
Scratching head*
Well maybe if HAD to solve this, I would use the ExternalInterface to interact with Safari or javascript to PREVENT the history back button from getting applied. So it won't go back to an old page. That is what I would look into.
My HTML5 app uses Google Maps and tracks the user with navigator.geolocation.watchPosition, showing their location with a marker on the map.
I also have a toggle button. If the user clicks Off, I would like to stop tracking them with watchPosition.
This is my code so far:
$("#loc-label").click(function(){
if ($('#loc').is(':checked')) {
navigator.geolocation.clearWatch(watchId);
position_marker = null;
} else {
watchId = navigator.geolocation.watchPosition(geolocationWorked, geolocationFailed, {enableHighAccuracy:true, maximumAge:30000, timeout:27000});
}
});
However, with this code, whenever the user toggles location on, they get re-prompted by the browser (in Firefox at least) asking them if they are willing to share their location.
Is there any way around this? Ideally I'd only like to prompt them once.
Obviously I could just hide the marker (but really continue to track their location) when the user toggles off. However, this isn't ideal, as I'm using high accuracy (i.e. GPS if available) and I'd prefer to give the user the ability genuinely to turn geolocation off.
Thanks!
I guess the behavior is device-specific. When testing the demo at http://www.thedotproduct.org/experiments/geo/ on my HTC Desire I get prompted only once unless I reload the page.
Of course the user won't be prompted again anyway if he chooses to permanently allow the page to access the users location (which I did not for the demo above).
Safari and Chrome (on mac at least) have settings to choose whether to ask. Haven't found that on Firefox yet; seems to prompt all the time.