How to clear sensitive memory in JavaScript?

2024/2/27 7:49:55

I have a login form for a user to type his/her password. This form is bound to an AngularJS model. Suppose that in the corresponding controller the user-given password is available via $scope.password.

The actual login procedure is handled by this function call: login($scope.email, $scope.password). After that procedure the application logic does not need the password anymore and my wish is to clear it from the browser's memory.

To me, the most obvious question is: what can I do right after calling login($scope.email, $scope.password) in order to clear the memory holding the value that $scope.password is currently bound to? This question is valid for JavaScript in general, I hope.

But then, following up from here, I have two more AngularJS-specific questions:

  • Is the password form value bound to more AngularJS-internal variables than just to $scope.password? In that case, overriding $scope.password would not be helpful.

  • When switching the view, the controller corresponding to the old view and its scope become "destroyed". Should I simply rely on the garbage collection to clear the memory containing the password within a short time interval after switching away from the login view?

Answer

As nothing in the various web browser related scenarios makes commitments about the contents of browser memory, you can never be sure that you are clearing memory.

Consider the simple JS code:

x=1234;
x=5678;

Even in such a simple snippet you have no guarantee that you've actually removed 1234 from memory. All you know is that when you reference x its value will be 5678. You don't know if 5678 overwrote 1234 or was written to a new memory location.

Similarly, once the user has entered their password in response to a form containing:

<input type="password" name="p">

You have no guarantee that you can ever erase the memory holding their password; even if you run the form again.

The only way around these limitations is to write a fat client that is run as a desktop app or browser plugin.

Note that none of the above is meant to state that browsers are sloppy with secrets in their memory. They generally try to prevent memory examination vulnerabilities. It's just that you have no insight into what they do and how you can leverage it. Even if you did, it would be specific to each browser version.

So, unless you feel that you need to protect the password more than, for example, your bank, get use to the fact that you must put your users' passwords into the (hopefully) trustworthy hands of the browser.

http://en.ppmy.cn/q/41281.html

Related Q&A

How to clone an Iterator in javascript?

In ES6, is there any possible to clone an iterator states?var ma=[1,2,3,4]; var it=ma[Symbol.iterator](); it.next();if I want to remember here the it states how should I do in javascritp?what is reme…

Why doesnt IE8 handle iframe onload events?

Sample code: <!DOCTYPE html> <html> <head> <title></title> <script> function on_iframe_load() {document.getElementById(iframe_a).onload = function() {alert(Thanks f…

Streaming jquery(JS files) from a CDN (Google)

This one is a case of not doing your homework.:-) Apart from dynamic loading advantage, does it make sense to include a JavaScript library(jQuery in my case ) from a Google server when I can load it f…

How to check if current time falls within a specific range considering also minutes

I am doing a Website for Restaurants Home Delivery ,depending on Restaurants Home Delivery Timings i need to enable / disable Order Now ButtonI have got startTime and End Time in 12 Hour format .This …

Number of days between two dates in ISO8601 date format

I want to do same thing as How do I get the number of days between two dates in JavaScript?but I want do the same on this date format: 2000-12-31.

change URL link with javascript without refresh

Is it possible to automatically change the url example.com/4000/title-2/#!4000 to example.com/4000/title-2 without to refresh the page ? Basically to remove "/#!4000" from the URL.Note that …

Simulating ajax POST call using Python Requests

Im doing a project where my parser steals gets data about every video on the specific site and save it to my database. I have accomplished everything except full link to the video which is hidden. Ther…

How does setTimeout prevent potential stackoverflow

An example : var list = readHugeList();var nextListItem = function() {var item = list.pop();if (item) {setTimeout( nextListItem, 0);// ^^^^^^^^ this line} };How does use of setTimeout prevent potential…

Why cant AngularJS view send data to this re-usable service?

An AngularJS app needs to re-use multiple custom objects. I am concerned about creating cluttered, redundant code that is hard to maintain, so I moved re-usable code to a service that can be concisely…

Updating DOM before blocking code by setTimeout or promise

I know that when there is a CPU intensive code any immediate previous DOM update wont happen. Such asfunction blockFor(dur){var now = new Date().getTime();while (new Date().getTime() < now + dur);re…