This page contains various code examples for the scenarios in the security cheat sheet on Secure data storage in the browser. The source code is available on GitHub.

Below, you can find links to the individual scenarios. You can also find links to malicious pages that attempt to steal data from the storage area. They abuse an XSS vulnerability in an error page running in the same origin as the scenario.

Scenario page	Pro	Con	Malicious page
Storing data in localStorage	Easily accessible long-term storage	All script code running within the origin can access the data Legitimate code has no exclusive control over the data Data is stored in plaintext on the file system	Open malicious page
Storing data in sessionStorage	Easily accessible short-term storage Data access is limited to code running within the set of browsing contexts	Legitimate code has no exclusive control over the data Data is stored in plaintext on the file system	Open malicious page
Origin-isolated data storage	Origin-based isolation is suited for storing sensitive data The API can enforce origin-based access control The absence of third-party code ensures full control over the data	Data is stored in plaintext on the file system	Open malicious page
Encrypted data storage with a server-provided key	Origin-based isolation is suited for storing sensitive data The API can enforce origin-based access control The absence of third-party code ensures full control over the data Data is stored encrypted on the file system	Requires the application to be online, so it can retrieve the user-specific key from the server	This scenario uses the same storage mechanism as Origin-isolated data storage
Encrypted data storage with a user-provided password	Origin-based isolation is suited for storing sensitive data The API can enforce origin-based access control The absence of third-party code ensures full control over the data Data is stored encrypted on the file system	Requires the user to enter a password once to encrypt and decrypt data	This scenario uses the same storage mechanism as Origin-isolated data storage