ユーザーがサインアップできる Web サイトがあり、Chrome 拡張機能を使用していくつかの機能を提供したいのですが、セキュリティが少し心配です。
私の考えは、ポップアップにログインフォームを表示し、ユーザー名/パスワードを使用して (HTTPS を使用して) ajax 要求をサーバーに送信し、次の ajax 呼び出しに使用される localStorage にトークンを保存することです。
これは安全ではありませんか?なんで?たとえば、自分の Web サイトでフォームを使用したり、クライアント側の js フレームワークから ajax リクエストを送信してログを記録したりするよりも、これがどのように安全でないのか理解できません
This is secure, as long as you handle the token properly on the client side (i.e. only submit it to your site, and no other sites). The danger is that you are essentially going around the work that Google and the open source community has done to secure Chrome/Chromium from XSS, CSRF, and other token stealing attacks. Make sure that no other sites can request the token from your extension (this is done in the browser through same-domain enforcement). You will need to use certificate signing to verify the origination of the request (you should be able to reuse the private certificate that you use for SSL).
It is important that you treat all client requests as malicious even if they originate from your extension. The server must perform all secure processing as if the client were completely compromised. On the server side, you shouldn't even know if the user is using your extension or a regular browser, because security wise it doesn't matter.
As for the storing of the login credentials on the client side, you should never store the password in plain text. You should salt and hash it, and submit that hash to the server. Based on your question, it sounds like you wouldn't store the user's credentials anyway, just a token. If that is the case, and the token doesn't contain anything sensitive, you should have no problem storing it. Make sure though that you expire tokens on the server side and force re-authentication periodically.
Answer was edited for clarification and typos