Why Nostr? What is Njump?
2024-10-22 20:30:45

Alex Gleason 🐍🚬 on Nostr: There is probably some way for an attacker to get around this. But I made a best ...

There is probably some way for an attacker to get around this. But I made a best effort to modify the global JavaScript API in the browser to prevent access to specific items in localStorage.

Basically as soon as possible into the page loading, we get the value and make it a private property of a NostrSigner object (so you can only call methods like getPublicKey, signEvent, etc), then we lock the key from being accessed again. An XSS attack would have to load prior to this script getting called, or do some JS trickery I haven't considered.

Author Public Key
npub1q3sle0kvfsehgsuexttt3ugjd8xdklxfwwkh559wxckmzddywnws6cd26p