Can an included script hosted on a different domain access localstorage from current domain

Scripts you include in your page using <script> can definitely access Local storage, they are running in same origin as your other scripts. This is also the reason behind advisories on not to store authentication tokens inside Local storage, because an injected script using an XSS attack can read and write to the Local storage.

This is however different for an <iframe> since they have their own origin.

• Thank you. You nailed it, since I was intending to store a session id in localstorage. Since I have no backend available, is there a way to store a session id? Can localstorage be configured such that only scripts LOADED from the same domain can access it?

  Simon Ferndriger

  – Simon Ferndriger

  2022年07月30日 20:09:03 +00:00

  Commented Jul 30, 2022 at 20:09
• Would it be save if EVERY external script would be self-hosted (and checked for localstorage access), such that it would be impossible for another script to be injected?

  Simon Ferndriger

  – Simon Ferndriger

  2022年07月30日 20:15:57 +00:00

  Commented Jul 30, 2022 at 20:15
• @SimonFerndriger I don't believe this is possible. the best practice is to store it inside an http-only cookie. Regarding self-hosted scripts, you should not only check for localstorage access but also including a third script or any other type of executing a dynamic piece of code! (this self-hosed script can download and execute another remote script)

  ptvty

  – ptvty

  2022年07月30日 20:22:08 +00:00

  Commented Jul 30, 2022 at 20:22
• 1
  @SimonFerndriger maybe this answer gives some insight on the security side security.stackexchange.com/a/15193/107894

  ptvty

  – ptvty

  2022年07月30日 20:27:16 +00:00

  Commented Jul 30, 2022 at 20:27

• javascript
• security
• local-storage
• cross-domain