Comment by mehrdadn
6 years ago
It's fairly obvious that this is about keeping secrets from other users locally whereas the fragment discussion is about keeping secrets from the server and that these two are not the same thing. People reasonably see the fragment as none of the server's business independently of whether it's any other local user's business (the latter fact itself being no one else's business to care about).
Seems like both Stripe and website author are misusing the browser feature.
Seems like core problem is lack of storage API that can only be accessed from JS that's executes from same domain?
Edit: Seems localStorage does isolate per domain, but I am not sure whether it's for page itself or for external JS too.
I've found some places say localStorage is insecure, but both OWASP [0] and MDN [1] say it isolates by origin. Third party scripts from different origins shouldn't be able to access it, but a successful XSS attack could have access.
[0] https://cheatsheetseries.owasp.org/cheatsheets/Session_Manag...
[1] https://developer.mozilla.org/en-US/docs/Web/API/Web_Storage...