This is wrong, IMO. The author states the main risk to LS data is an XSS vulnerability in the website. While true, an XSS in a website is pretty much a "game over" and allows the attacker to get any information and perform any action in the context of the site.

Essentially, if a website has an XSS your information is compromised no matter what mechanism the site uses to store it.

That’s exactly what I was thinking also. Local storage is protected by the origin access policy. If that is compromised by XSS, it doesn’t matter how or where the data is stored; it’s accessible.

It doesn't even need to be "stored", an XSS attack can pull information that is simply displayed on the page.

When it comes to web-apps, XSS is game over. It's the web equivalent of remote code execution.

That was a relatively interesting read except for this line:

> One of the annoying things about cookies (the only real alternative to local storage) is that they need to be created by a web server. Boo!

I agree. The only reason I can think to justify this is that the author is implying you only should use the HttpOnly flag for security reasons. Still seems odd that they don’t know you can set cookies with JS.

OMG, he tell us to not store anything security-critical in Local Storage but advice to store encrypted session in Cookies instead!

He says that any JS code on the page can access Local Storage but he doesn't mention that Cookies can be accessed by JS as well as Local Storage. And also, Cookies will be sent with each request event if request target is an image or a CSS, when with Local Storage you can decide which data should be sent with each individual request.

He says that Local Storage can store strings only, but he doesn't tell that Cookies is even worse than this - it's JUST ONE string at all.

After that he tells about Cookie-related CSRF attacks prevention which not needed with Local Storage.

Doesn't he contradict himself?

"Please Stop Using Local Storage" is not helpful and will confuse people who are unfamiliar with browser storage. I'm guessing the author meant, "Please Stop Storing Application Data in the Browser Instead of a Server-Side Persistence Layer (DB)". Local Storage is a specific thing in the browser and is useful in specific cases.

I found a good comparison of all browser storage options on Quora: https://www.quora.com/What-is-the-difference-between-session...

I believe all of the author's stated shortcomings of local storage apply to all browser storage options.

* String Only

* Synchronous

* No Web Worker Support

* Size Limits (smaller for cookies but all have limits)

* Any JavaScript code on the page has access (don't include scripts you don't trust)

Also, keep in mind...

* There is no guarantee the browser will encrypt the content on disk. I believe chrome encrypts cookies, but I'm don't think others do. I don't believe local storage is encrypted at all. Session storage & session cookies should only be in memory. You shouldn't be storing PII in the browser anyway.

* These storage options can't be accessed by other domains as they conform to the same origin policy, but this is an important caveat: The "origin" of the script is the page it is executed in, not where it comes from. So, if you include <script src="http://somehacker.com/superLib.js"></script> it will execute in your origin and can access everything. Protect your users by only including scripts you know are safe. * https://stackoverflow.com/questions/12543978/same-origin-pol... * https://developer.mozilla.org/en-US/docs/Web/Security/Same-o...

In short, do some research and use the right tool for the right job.

Well, localstorage is still much better than cookies. Browser includes cookies on all requests to your server. There is no way javascript can tell browser to stop that!!! Now, stop using cookies!!!!