Crypto keys stored in IndexedDB with {extractable: false} cannot be exported. In other words:
- the key itself cannot be retrieved
- but the CryptoKey object that owns the key has APIs that can be used to encrypt, decrypt, verify, or sign data based on that key.
Now, is it possible that a malicious XSS script could access IndexedDB and steal the CryptoKey object itself (not steal the key alone, but steal the entire CryptoKey object that owns the key) and use it to encrypt, decrypt, sign, or verify data?
