Stream: smart
Topic: App protection and sessionStorage
Travis Cummings (May 09 2019 at 17:33):
The spec's App protection section says this:
- Apps should persist tokens and other sensitive data in app-specific storage locations only, not in system-wide-discoverable locations.
For the EHR vendors supporting SMART, would the window's sessionStorage provide this "app-specific" storage location (because of sandboxing each app)? I'm not concerned with multiple instances of my app, but sandboxing between my app and another app or component.
An example would be if my app and another app used the SMART JavaScript Library and it stores the token at sessionStorage.tokenResponse. Would the other app override my storage? Would the other app be able to see my token value?
Josh Mandel (May 09 2019 at 21:00):
Session storage is only accessible to code running in the same origin.
Josh Mandel (May 09 2019 at 21:00):
(but also it's not durable across browsers sessions.)
Josh Mandel (May 09 2019 at 21:01):
That advice from the spec applies especially to native apps that want to keep information in their own protected by storage area rathe than in a shared storage area.
Last updated: Apr 12 2022 at 19:14 UTC
