
Please stop using local storage - shrthnd
https://dev.to/rdegges/please-stop-using-local-storage-1i04
======
_bxg1
"It can only store string data. Boo. This makes it pretty useless for storing
data that's even slightly more complex than a simple string. And sure, you
could serialize everything including data types into local storage, but that's
an ugly hack."

It's not an ugly hack, it's the same thing you do every time you make an
(async) HTTP request. Its serializability is one of JavaScript's greatest
strengths as a language.

"It is synchronous. This means each local storage operation you run will be
one-at-a-time. For complex applications this is a big no-no as it'll slow down
your app's runtime."

Along with... all JavaScript variables? Why would locally storing small (<5MB)
pieces of data need to be asynchronous? It will not slow down your app, I
promise you.

"It can't be used by web workers =/ This means that if you want to build an
application that takes advantage of background processing for performance,
chrome extensions, things like that: you can't use local storage at all since
it isn't available to the web workers."

An unfortunate limitation, but hardly a reason to avoid using it. Besides,
it's easy enough to have your main JS thread be an intermediary.

"It still limits the size of data you can store (~5MB across all major
browsers). This is a fairly low limit for people building apps that are data
intensive or need to function offline."

Again, a limitation is not an inherent evil. If you need your app to function
offline, you need to be using workers anyway. For caching, use the purpose-
built Cache API.

"Any JavaScript code on your page can access local storage: it has no data
protection whatsoever. This is the big one for security reasons (as well as my
number one pet peeve in recent years)."

Sorry to break it to you, but but if malicious JavaScript is running on your
page, it can access _everything_. The user's most private data that ever shows
up on any page. The password they're typing in. Their security questions.
Their cookies. The only place data is (possibly) secure from malicious client
code is the server itself. The primary security mechanism on the web is domain
separation; XSS is a very real concern, but using localStorage hardly elevates
the risk beyond what it already is.

This is a bad article.

------
mr_toad
The article implies that 3rd party scripts loaded on a page have carte blanche
access to local storage.

MDN disagrees:

[https://developer.mozilla.org/en-
US/docs/Web/Security/Same-o...](https://developer.mozilla.org/en-
US/docs/Web/Security/Same-origin_policy#Cross-origin_data_storage_access)

------
ajeet_dhaliwal
The overall article and conclusion is correct but the title is overly
simplistic. You can use local storage just fine for the right reasons.

------
jpl56
It's interesting to know that!

How can I ensure, as an user, that the website I'm using doesn't store
sensitive data locally ?

~~~
Doxin
You can't, and you shouldn't worry about if it does. just about _every_
website stores something very sensitive locally: your session cookie. If your
session cookie gets stolen someone else can log in as you. In practice this is
rarely a problem, and never a problem in correctly designed systems.

