Comment by ucarion
6 years ago
Putting secret information in a URI is explicitly called out as a bad idea in the very RFC you reference:
> URI producers should not provide a URI that contains a username or password that is intended to be secret. URIs are frequently displayed by browsers, stored in clear text bookmarks, and logged by user agent history and intermediary applications (proxies).
https://tools.ietf.org/html/rfc3986#section-7.5
As an aside, if you're going to be making any security judgments from an RFC, every RFC since RFC2223 has a Security Considerations section. You usually want to start there.
It's fairly obvious that this is about keeping secrets from other users locally whereas the fragment discussion is about keeping secrets from the server and that these two are not the same thing. People reasonably see the fragment as none of the server's business independently of whether it's any other local user's business (the latter fact itself being no one else's business to care about).
Seems like both Stripe and website author are misusing the browser feature.
Seems like core problem is lack of storage API that can only be accessed from JS that's executes from same domain?
Edit: Seems localStorage does isolate per domain, but I am not sure whether it's for page itself or for external JS too.
I've found some places say localStorage is insecure, but both OWASP [0] and MDN [1] say it isolates by origin. Third party scripts from different origins shouldn't be able to access it, but a successful XSS attack could have access.
[0] https://cheatsheetseries.owasp.org/cheatsheets/Session_Manag...
[1] https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage...
Good to know. Thanks for pointing this out!