Protected browser storage in .Net 5 Preview 8 and Blazor wasm

[julitogtu]

I'm trying to use the new Protected browser storage in a Blazor webassembly app, but the is throwing an PlatformNotSupportedExceptionexception, I was checking the code and in the ctor for ProtectedBrowserStorage the following validation is define (ProtectedBrowserStorage.cs):

// Performing data protection on the client would give users a false sense of security, so we'll prevent this.
if (RuntimeInformation.IsOSPlatform(OSPlatform.Browser))
{
	throw new PlatformNotSupportedException($"{GetType()} cannot be used when running in a browser.");
}

With blazor server it works.

In the meantime, I'm using another package to save data on the client using the localstorage, my question is: ProtectedBrowserStorage will be supported by blazor wasm or is this a bug?

Thanks,

[Pilchie]

@MackinnonBuck - any ideas?

[rogihee]

See #25677

[SteveSandersonMS]

It doesn't make sense to use protected browser storage on WebAssembly.

The idea of data protection is to encrypt the data so it can't be read by the end user while in storage (plus to use a hash to ensure the data can't be tampered with). Neither of these concepts are applicable when your code runs client-side, because the end user can always observe and modify what the code is doing. There's no way for any client-side application, whether that's JavaScript or WebAssembly or any native code (besides DRM approaches) to hide data from the user.

So when you're on WebAssembly, you should just use sessionStorage or localStorage directly via JS interop without attempting to hide the data. Be sure that your security model doesn't rely on the stored data not being read or modified by the end user in this case.