I want to implement password store for my CEF application.
Requirements:
- - must be multiplatform
- must be (quite) secure
- must use native key store on given platform to store passwords (standard Keystore on Mac OS, keyvalut on Windows, ...)
I found that there are two options I can implement Password store
- a) Implement JS API (for acces to keystore) and write frontend in JS/HTML
b) write Chromium extension for CEF
a) It's not complicated but I am not sure if it's secure enougth. The problem is that JS API will be available for whole App which loaded into browser etc..
Is there any option to restrict my JS API visiblity/access? For example - can I say "that api is available only on this internal URL"? (or somethins simillar).
How can I ensure that no one except explicitly specified can access to my JS resources?
b) Is this more secure than a)? (I gues yes - context is more isolated etc.)
Are there any other options?
Thanks for advice
John