I'm implementing a Chrome extension, which needs to access a 3rd party API endpoint using a token.
How do I store a token securely in the Chrome extension, assuming other Chrome extension scripts can access the page's localStorage & cookie?
Asked
Active
Viewed 2,997 times
2 Answers
5
Other scripts cannot access your storage. But a user can always debug your script and see it. You wont be able to encrypt it. At most you can obfuscate it.
Zig Mandel
- 19,571
- 5
- 26
- 36
-
This is true of pretty much any client-side code. Typically the API keys that services provide are to identify sources of abuse, rather than for billing. I'd be reluctant to trust a service that billed me based on a username without a password (which is basically what a client-side token is). TL;DR: don't worry about it. If money is involved, though, consider walking away. – sowbug Mar 07 '14 at 17:08
-
@Zig Mandel How does services like LastPass encrypt users' credentials? – Keven Wang Mar 17 '14 at 18:19
-
Havent tried it but they can't unless the key is stored outside like a USB – Zig Mandel Mar 17 '14 at 21:05
0
I too don't see how it could be done. The only ways seem to be either calling your server and have server do the request that involves using the API key or obfuscate it for example by converting to base64 string in code but even then it'll be visible in developer tools network tab
ihor.eth
- 2,207
- 20
- 27