Alex Gleason 🐍🚬 on Nostr: There is probably some way for an attacker to get around this. But I made a best ...
There is probably some way for an attacker to get around this. But I made a best effort to modify the global JavaScript API in the browser to prevent access to specific items in localStorage.
Basically as soon as possible into the page loading, we get the value and make it a private property of a NostrSigner object (so you can only call methods like getPublicKey, signEvent, etc), then we lock the key from being accessed again. An XSS attack would have to load prior to this script getting called, or do some JS trickery I haven't considered.
Published at
2024-10-22 20:30:45Event JSON
{
"id": "b2f1e76434aaecaa6a93a12105ddf873bf28fee86cc906cb376a168eaafe0cd2",
"pubkey": "0461fcbecc4c3374439932d6b8f11269ccdb7cc973ad7a50ae362db135a474dd",
"created_at": 1729629045,
"kind": 1,
"tags": [
[
"imeta",
"url https://image.nostr.build/25e0f56b16af6af73bd91f0dfb327b298c08345bf8f797e055e38a79634de8dc.png",
"m image/png",
"x 1b4b59af8c9ef285a3a1b4838be7cf8c512a73f819da7630fa7f6c09c577f7ee",
"ox 25e0f56b16af6af73bd91f0dfb327b298c08345bf8f797e055e38a79634de8dc",
"size 20217",
"dim 508x186",
"blurhash L28pil^+M{Rj}@xaWCa#0yR%kDbb"
]
],
"content": "There is probably some way for an attacker to get around this. But I made a best effort to modify the global JavaScript API in the browser to prevent access to specific items in localStorage.\n\nBasically as soon as possible into the page loading, we get the value and make it a private property of a NostrSigner object (so you can only call methods like getPublicKey, signEvent, etc), then we lock the key from being accessed again. An XSS attack would have to load prior to this script getting called, or do some JS trickery I haven't considered.\n\nhttps://image.nostr.build/25e0f56b16af6af73bd91f0dfb327b298c08345bf8f797e055e38a79634de8dc.png",
"sig": "f2a6753fb07d163efc3733c02700e40c932403cc77f8b4977eb7d98b62314b9ec17f3226e8688971c0693430cc6ad98e39baecf5269405b3bef29ad438e15291"
}