cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Community
English
Announcements
Want to learn some quick and useful tips to make your day easier? Check out how Calvin uses Replay to get feedback from other teams at Dropbox here.

Dropbox API Support & Feedback

Find help with the Dropbox API from other developers.

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Using implicit grant on frontend web app, where to safely store access code?

Labels:

Using implicit grant on frontend web app, where to safely store access code?

cloudlife
Helpful | Level 6
‎03-07-2017 11:06 PM
Go to solution

Sorry I'm still quite new to web development, but it seems like I wouldn't be able to save the access code into an httponly cookie. I've read that Angular has a way of sending cookies for requests that are only coming from my domain, which would deal with CSRF while the httponly deals with XSS.

https://stormpath.com/blog/where-to-store-your-jwts-cookies-vs-html5-web-storage

 

Therefore in order to maintain user session, and keep them logged in across multiple sessions, is to save it into localStorage? Is this right or is there another way?

 

If I do save it into localStorage, I would need to be very careful about XSS attacks, particularly code libraries that could be potentially compromised?

 

Any advice, even just a good article for reference, would be greatly appreciated!

Labels:
  • 0 Likes
  • 3 Replies
  • 2,040 Views
0 Likes
1 Accepted Solution

Accepted Solutions

Greg-DB
Dropbox Staff
‎03-13-2017 12:11 PM
Go to solution

The API v2 Dropbox JavaScript SDK does not handle access token storage automatically. It is left to the developer to decide what makes sense for their app/platform.

View solution in original post

3 Replies 3

Greg-DB
Dropbox Staff
‎03-09-2017 10:28 AM
Go to solution
We're happy to help with any issues or questions you have regarding the Dropbox API itself, but we can't offer app security advice. If you have any security questions, you should consult with a security professional.

That said, using local storage sounds like a reasonable solution in your case, but I can't speak to the security aspects.

cloudlife
Helpful | Level 6
‎03-12-2017 09:25 PM
Go to solution
Thanks for the reply! Would I be able to ask you about how the dropbox javascript SDK handles secure storage of the access code? Or is that left to the developer? Thanks again 🙂
0 Likes

Greg-DB
Dropbox Staff
‎03-13-2017 12:11 PM
Go to solution

The API v2 Dropbox JavaScript SDK does not handle access token storage automatically. It is left to the developer to decide what makes sense for their app/platform.

Need more support?
Who's talking

Top contributors to this post

  • User avatar
    Greg-DB Dropbox Staff
  • User avatar
    cloudlife Helpful | Level 6
What do Dropbox user levels mean?