I'm a backend developer, but AFAIK we use local storage to serve the posting key. When active/owner keys are needed (e.g. for transfers or markets), the user's asked for their password, which is used to re-derive the key. The active/owner keys themselves are never stored. (This was a recent change implemented as part of the response to the attack ~3 weeks ago.)
You are viewing a single comment's thread from:
Thanks for the response. I'm just concerned about moving forward with this strategy (holding key in local storage) because I have read a good deal that this approach is vulnerable to XSS attacks.
Is there way to sign transaction without user's password but only private key of posting/active/owner, etc ? Thanks!