Currently I am working on an application that requires secret keys to encrypt and sign information generated by the client and transmited over the wire, these keys are granted per user.
Currently when the user logs in, the keys are downloaded from the API and persisted on localStorage, which is far from optimal as other plugins or embedded applications could obtain them (if they know how these are stored).
I've been trying to implement an isolation mechanism using iframe whereby the client application sends messages to an embedded external site that controls the access to the keys. This moves the issue to the localStorage created by this external website, avoiding an embedded site on the client application to get the information.
I am still hesitating about this approach, mainly because there's still storage involved. Could anyone share relevant experience or suggest a different approach?
Thanks!
