How should I securely store passwords and use http auth in a chrome extension

Question

I'm making a chrome extension that requires fetching an xml file from a secure server.

I'm currently using XMLHttpRequest() to make a call to the server

https://username:[email protected]

which returns an xml object that I can parse and display. I want this extension to be available for more than just my hobby use, so it needs an options page to set and store the username and password.

How should I store the user password in chrome so that it is secure? chrome has a localStorage global for each extension that allows extension authors to store data, but it is stored in plain text. it doesn't allow extensions to access the 'remember my password' storage(with good reasons).

and is there a more secure way to do http auth? My current way of doing things requires passing the username/password in plain text in the url each time the function is called, even if the the authentication session hasn't expired.

Answer 1

An idea: ask the user for a key, which you can use to symmetrically encrypt the values before putting them in localStorage. You could also generate a unique key per client based on certain unique aspects of his machine/browser/etc.

Answer 2

The problem with asking for a key is that it means that you'll have to prompt each time at startup (if you store the key, you have the same problem). This may be an OK tradeoff if what you're protecting is especially sensitive.

In general, Chrome takes the philosophy of trusting the OS to protect the user's profile where this data is stored, so if you use local storage to store passwords, it's no different than what Chrome is doing today with password autofill, browser history, etc.