-
-
Notifications
You must be signed in to change notification settings - Fork 268
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Usage of ng-idle leaves traces of app us in the browser localStorage #3277
Comments
After looking at the implementation of the ng-idle variable i've identified that we could just drop the javascript reference to window.localStorage forcing the app to use an already existing polylfill based on a temporary implementation. This can be achieved with the following code: I've reported this to the develper of the library (@moribvndvs) asking for the possibility to patch ng-idle and ng-idle2 to offer a privacy preserving mode using this temporary polyfill implementation by default: |
@gronke @hackademix: what do you think of such a simple fix?
|
The browser won't restore the reference at runtime, so this approach can work in this specific case of non-hostile environment (yet, I'd double check that the polyfill doesn't use cookies as a fallback persistence mechanism).
This is a case where you're assuming malicious code which you'll try to contain, and it's a much bigger fish to fry. |
Thank you for your feedback @hackademix ! Yes, considering the non-hostile environment we will proceed with this quirk. Very interesting project JShelter. Have you evaluated to implement it as a javascript library that a project could include as first script to sandbox the entire application? |
In relation to the topic of minimizing the forensic traces (#2668) left by the application on the browser of the user, i've analyzed the implementation of the ng-idle module used for detecting user idling and found out that it uses of a persistent localStorage variable to track the time of the last user action.
This causes to leave in the browser a trace that the app was used. The trace is anyhow anonymous and do not contain any information about the activities performed on the site.
This ticket is to track the activities of patching the library use in order to use a temporary variable reducing the traces left in the browser of the user.
The text was updated successfully, but these errors were encountered: