Hi Finn > On 16 Aug 2021, at 17:22, Finn Lancaster <flancas...@gmail.com> wrote: > > I don't have much experience with JS macros in TW, but I can imagine it would > be the same, especially if there is no sanitisation whatsoever. As to > eliminating iframes, normally there is no way to break-out of it. However, in > the case of my Proof-of-Concept with TW, the localStorage is global, and can > be accessed by ANY SITE. This is just one more reason I believe TW should use > browser cookies: they are not accessible from inside iframe, and have more > options for security and access.
A big part of the problem is that browsers treat all file:// URIs as a single origin, and don’t apply the usual same origin checks. That means that it is pretty much impossible to securely use local storage from a file:// URI. For the same reason, browser cookies are no better than local storage. Best wishes Jeremy. -- You received this message because you are subscribed to the Google Groups "TiddlyWiki" group. To unsubscribe from this group and stop receiving emails from it, send an email to tiddlywiki+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/tiddlywiki/BB56CA48-E0B5-4499-AF5B-7C357788DB01%40gmail.com.