#indexeddb — Public Fediverse posts

https://blog.gslin.org/archives/2026/04/23/13006/firefox-%e7%9a%84-privacy-vulnerability/

Firefox 的 Privacy Vulnerability

#entropy #firefox #indexeddb #mozilla #privacy #vulnerability

An #E2EE messaging app unaffected by #ChatControl

* App: https://chat.positive-intentions.com/
* Code: https://github.com/positive-intentions/chat
* Reddit: https://www.reddit.com/r/positive_intentions

How it works: https://positive-intentions.com/docs/projects/chat

TLDR: I'm working on a #P2P messaging #webapp. Webapps are generally not considered secure because of the nature of serving statics over the internet. This is correct, but not a limitation of this project. (#selfhosting options: https://positive-intentions.com/blog/docker-ios-android-desktop).

As a webapp, I can provide the app with zero-installation and no-registration. The app is only using (local-only) browser storage (specifically #indexedDB). So in a P2P interaction, the traditional concept of "the cloud" is just the physical devices connected over #WebRTC. This allows for things like P2P authentication: https://positive-intentions.com/blog/security-privacy-authentication.

Future:
I'm aiming to create the most secure messaging app out there... (more than #Signal, #Simplex, #threema, #session, #deltachat, #bitchat, etc). I know I have a long way to go to get there. The UI is fairly ugly for the average user, but I think the mechanics are working as expected. I think #JavaScript is underrated in what you can do with it. I'm actively investigating improving the #encryption approach further to align to how the Signal protocol works (currently using a #DiffieHellman key-exchange).

Support:
In the age of #ChatControl, I would like to keep this project #opensource, but open-source funding is not working for me. I don't want your donations (but don't let that stop you) because it isn't sustainable for a long-term project. I have so far only experienced grant-funding rejections. I have no idea what I'm doing in trying to get funding for this project, so any support/advice is appreciated. In recognition of the project in its current state not being able to get funding... (sorry) I will have to go #closedsource (which I'd like to avoid because it undermines several #cybersecurity claims I'd like to make). I don't accept collaboration on the project because this would make tough decisions like going closed-source also immoral.

#privacy #security #messaging #decentralized #peer2peer #webdev #cryptography #selfhosted #FOSS #tech #infosec #developer #funding #startup

An #E2EE messaging app unaffected by #ChatControl

* App: https://chat.positive-intentions.com/
* Code: https://github.com/positive-intentions/chat
* Reddit: https://www.reddit.com/r/positive_intentions

How it works: https://positive-intentions.com/docs/projects/chat

TLDR: I'm working on a #P2P messaging #webapp. Webapps are generally not considered secure because of the nature of serving statics over the internet. This is correct, but not a limitation of this project. (#selfhosting options: https://positive-intentions.com/blog/docker-ios-android-desktop).

As a webapp, I can provide the app with zero-installation and no-registration. The app is only using (local-only) browser storage (specifically #indexedDB). So in a P2P interaction, the traditional concept of "the cloud" is just the physical devices connected over #WebRTC. This allows for things like P2P authentication: https://positive-intentions.com/blog/security-privacy-authentication.

Future:
I'm aiming to create the most secure messaging app out there... (more than #Signal, #Simplex, #threema, #session, #deltachat, #bitchat, etc). I know I have a long way to go to get there. The UI is fairly ugly for the average user, but I think the mechanics are working as expected. I think #JavaScript is underrated in what you can do with it. I'm actively investigating improving the #encryption approach further to align to how the Signal protocol works (currently using a #DiffieHellman key-exchange).

Support:
In the age of #ChatControl, I would like to keep this project #opensource, but open-source funding is not working for me. I don't want your donations (but don't let that stop you) because it isn't sustainable for a long-term project. I have so far only experienced grant-funding rejections. I have no idea what I'm doing in trying to get funding for this project, so any support/advice is appreciated. In recognition of the project in its current state not being able to get funding... (sorry) I will have to go #closedsource (which I'd like to avoid because it undermines several #cybersecurity claims I'd like to make). I don't accept collaboration on the project because this would make tough decisions like going closed-source also immoral.

#privacy #security #messaging #decentralized #peer2peer #webdev #cryptography #selfhosted #FOSS #tech #infosec #developer #funding #startup

An #E2EE messaging app unaffected by #ChatControl

* App: https://chat.positive-intentions.com/
* Code: https://github.com/positive-intentions/chat
* Reddit: https://www.reddit.com/r/positive_intentions

How it works: https://positive-intentions.com/docs/projects/chat

TLDR: I'm working on a #P2P messaging #webapp. Webapps are generally not considered secure because of the nature of serving statics over the internet. This is correct, but not a limitation of this project. (#selfhosting options: https://positive-intentions.com/blog/docker-ios-android-desktop).

As a webapp, I can provide the app with zero-installation and no-registration. The app is only using (local-only) browser storage (specifically #indexedDB). So in a P2P interaction, the traditional concept of "the cloud" is just the physical devices connected over #WebRTC. This allows for things like P2P authentication: https://positive-intentions.com/blog/security-privacy-authentication.

Future:
I'm aiming to create the most secure messaging app out there... (more than #Signal, #Simplex, #threema, #session, #deltachat, #bitchat, etc). I know I have a long way to go to get there. The UI is fairly ugly for the average user, but I think the mechanics are working as expected. I think #JavaScript is underrated in what you can do with it. I'm actively investigating improving the #encryption approach further to align to how the Signal protocol works (currently using a #DiffieHellman key-exchange).

Support:
In the age of #ChatControl, I would like to keep this project #opensource, but open-source funding is not working for me. I don't want your donations (but don't let that stop you) because it isn't sustainable for a long-term project. I have so far only experienced grant-funding rejections. I have no idea what I'm doing in trying to get funding for this project, so any support/advice is appreciated. In recognition of the project in its current state not being able to get funding... (sorry) I will have to go #closedsource (which I'd like to avoid because it undermines several #cybersecurity claims I'd like to make). I don't accept collaboration on the project because this would make tough decisions like going closed-source also immoral.

#privacy #security #messaging #decentralized #peer2peer #webdev #cryptography #selfhosted #FOSS #tech #infosec #developer #funding #startup

An #E2EE messaging app unaffected by #ChatControl

* App: https://chat.positive-intentions.com/
* Code: https://github.com/positive-intentions/chat
* Reddit: https://www.reddit.com/r/positive_intentions

How it works: https://positive-intentions.com/docs/projects/chat

TLDR: I'm working on a #P2P messaging #webapp. Webapps are generally not considered secure because of the nature of serving statics over the internet. This is correct, but not a limitation of this project. (#selfhosting options: https://positive-intentions.com/blog/docker-ios-android-desktop).

As a webapp, I can provide the app with zero-installation and no-registration. The app is only using (local-only) browser storage (specifically #indexedDB). So in a P2P interaction, the traditional concept of "the cloud" is just the physical devices connected over #WebRTC. This allows for things like P2P authentication: https://positive-intentions.com/blog/security-privacy-authentication.

Future:
I'm aiming to create the most secure messaging app out there... (more than #Signal, #Simplex, #threema, #session, #deltachat, #bitchat, etc). I know I have a long way to go to get there. The UI is fairly ugly for the average user, but I think the mechanics are working as expected. I think #JavaScript is underrated in what you can do with it. I'm actively investigating improving the #encryption approach further to align to how the Signal protocol works (currently using a #DiffieHellman key-exchange).

Support:
In the age of #ChatControl, I would like to keep this project #opensource, but open-source funding is not working for me. I don't want your donations (but don't let that stop you) because it isn't sustainable for a long-term project. I have so far only experienced grant-funding rejections. I have no idea what I'm doing in trying to get funding for this project, so any support/advice is appreciated. In recognition of the project in its current state not being able to get funding... (sorry) I will have to go #closedsource (which I'd like to avoid because it undermines several #cybersecurity claims I'd like to make). I don't accept collaboration on the project because this would make tough decisions like going closed-source also immoral.

#privacy #security #messaging #decentralized #peer2peer #webdev #cryptography #selfhosted #FOSS #tech #infosec #developer #funding #startup

Un exemple d'utilisation des services workers et d'IndexedDB (la base de données incluse dans les navigateurs) pour créer un système qui permet d'uploader une image même sans réseau et de faire l'upload réel lorsque le réseau est à nouveau disponible.

🔗 https://www.smashingmagazine.com/2025/04/building-offline-friendly-image-upload-system/

#IndexedDB #progressivewebapps #upload #web

Ok. Just culled ~20,000 of 25,000 #tumblr posts accumulated via #RSS over a month. I've gotta get to work on my own project applying basic statistics to this stuff. Think "reverse chronological + $all_your_own_filtering_and_sorting_and_bucketing". Not sure if I should do that within the confines of a #thunderbird add-on, or try some other approach. I really, really want to be able to use #sql for this stuff. It's a natural fit. But #sqlite seems to be a no-go for #WebExtensions. There is only #IndexedDB, which, in my limited experience with it, is absolute garbage to work with.

My esteemed followers, you have posted a total of 375,809 statuses to the #fediverse. 22% of you have posted in the last 24h. You are a chatty bunch! ;-)

Check out my new #sideproject: *fedi-followers*. A privacy-friendly fediverse #followers explorer as #localonly #staticwebapp, decentrally hosted on the #ipfs. See who's actually following (and unfollowing) you over time and much more.

https://fedi--followers-data0-one.ipns.dweb.link/

#decentralization #mastodev #esmodules #importmaps #nobuild #indexeddb #preact

I've built a thing.

Sometimes my follower count seemingly fluctuates at random. To understand why, I dug into the #MastodonAPI and created "fedi-followers":

A privacy-friendly #fediverse #followers explorer as local-only static web app, decentrally hosted on the #ipfs. See who's actually following (and unfollowing) you over time and much more.

https://fedi--followers-data0-one.ipns.dweb.link/

#mastodev #javascript #webapp #staticwebapp #nobuild #esmodules #importmaps #indexeddb #preact #htm

"Encryption at Rest" for JavaScript Projects

Following a previous post (https://infosec.exchange/@xoron/113446067764347249), which can be summarized as: I'm tackling bottom-up state management with an extra twist: integrating encryption at rest!

I created some updates to the WIP pull-request. The behavior is as follows.

- The user is prompted for a password if one isn't provided programmatically.
- This will allow for developers to create a custom password prompts in their application. The default fallback is to use a JavaScript prompt().
- It also seems possible to enable something like "fingerprint/face encryption" for some devices using the webauthn api. (This works, but the functionality is a bit flaky and needs to be fixed before rolling out.)
- Using AES-GCM with 1000000 iterations of PBKDF2 to derive the key from the password.
- The iterations can be increased in exchange for slower performance. It isn't currently configurable, but it might be in the future.
- The salt and AAD need to be deterministic and so to simplify user input, the salt as AAD are derived as the sha256 hash of the password. (Is this a good idea?)

The latest version of the code can be seen in the PR: https://github.com/positive-intentions/dim/pull/9

I'm keen to get feedback on the approach and the implementation before i merge it into the main branch.

#JavaScript #Encryption #IndexedDB #WebDevelopment #CryptoAPI #FrontendDev #ReactHooks #StateManagement #WebSecurity #OpenSource #PersonalProjects

"Encryption at Rest" for JavaScript Projects

I'm developing a JavaScript UI framework for personal projects, and I'm tackling state management with an extra twist: integrating encryption at rest!

Inspired by this React Hook: Async State Management (https://positive-intentions.com/blog/async-state-management), I’m extending it to support encrypted persistent data. Here's how:

✨ The Approach:

Using IndexedDB for storage.

Data is encrypted before saving and decrypted when loading using the Browser Cryptography API.

Event listeners will also be encrypted/decrypted to avoid issues like browser extensions snooping on events.

The password (should never be stored) is entered by the user at runtime to decrypt the data. (Currently hardcoded for now!)

The salt will be stored unencrypted in IndexedDB to generate the key.

🔗 Proof of Concept:
You can try it out here: GitHub PR (https://github.com/positive-intentions/dim/pull/8). Clone or run it in Codespaces and let me know what you think!

❓ Looking for Feedback:
Have I missed anything? Are there better ways to make this storage secure?

Let's make secure web UIs a reality together! 🔒

#JavaScript #Encryption #IndexedDB #WebDevelopment #CryptoAPI #FrontendDev #ReactHooks #StateManagement #WebSecurity #OpenSource #PersonalProjects

What kind of #Moderation would you wish a #SocialMedia service like #Mastodon or #FireFish to have?

If you're familiar with #ActivityPub, can it be implemented with it?

I'm specifically looking for user moderation tools for #PeerToPeer #P2P solutions where service data can't be manually moderated by a central actor. The service data would exist until it is forgotten (no one is sharing it).

Profile and post data would be saved in browser database (#IndexedDB) and peer discovery would be handled by #HyperSwarm or similar. The whole service would be a #PWA, requiring zero server resources beyond loading the PWA, if possible.

Currently I have this:
- honor thread starter #blocklist (by hiding and not sharing those comments - individual clients could still show these and share, resulting in less effective moderation)
- allow thread starter to moderate their threads (don't know how to implement this, yet)
- allow post and comment editing (implement post version checking and automatic updates - again, a client might ignore updates or collect history, resulting in less effective moderation)
- profile reputation, automatic blocking based on reputation and shared blocklists, #whitelist and shared whitelists, blocklist and shared blocklists (see above); essentially a #WebOfTrust implementation
- visibility controls
- sharing controls (for service data; by default interactions and own data would be saved locally and shared to network; data that is offline isn't reachable)

#Development #Overviews
(Almost) everything about storing data on the web · Options to store data locally on a user’s device for client-side or offline access https://ilo.im/10hh92 · by @patrickbrosset

_____
#WebDevelopment #WebDev #WebApplication #WebApp #Browser #Chrome #Firefox #Edge #Safari #Storage #WebStorage #IndexedDB #CacheAPI #OPFS #SQLite

Apple fixes major bugs in iOS, iPadOS, macOS, and watchOS software updates - Enlarge / The 2021 12.9-inch iPad Pro. (credit: Samuel Axon)

T... - https://arstechnica.com/?p=1828540 #homepodsoftware #ipados15.3 #watchos8.3 #indexeddb #macos12.2 #ipados15 #watchos8 #ios15.3 #macos12 #watchos #ipados #safari #webkit #apple #ios15 #macos #tech #tvos #ios

Je cher­chais un logi­ciel me permet­tant de gérer la liste des bandes dessi­nées que je souhaite ache­ter.

Le cahier des charges des éléments des listes était rela­ti­ve­ment simples :

• un nom ;
• éven­tuel­le­ment un numéro, pour indiquer le tome de la série à ache­ter, incré­men­table en un clic (une fois que j’ai acheté un tome, je vais logique­ment avoir envie d’ache­ter le suivant) ;
• un état publié / pas encore publié, pour garder trace des livres dont j’at­tends la publi­ca­tion.

Voilà qui est rela­ti­ve­ment simple… mais pas moyen de trou­ver exac­te­ment ce que je voulais ! Le plus proche était Carnet qui en plus avait l’avan­tage d’être synchro­ni­sable avec un serveur Next­cloud et d’avoir une appli­ca­tion Next­cloud, mais il ne faisait pas les numé­ros, et le passage d’une liste à l’autre est un peu lent (reve­nir à l’écran des listes, retrou­ver l’autre liste, cliquer dessus).

Bref, ça me déman­geait. Et quand ça démange un libriste, le libriste se gratte.

N’ayant pas envie d’ap­prendre à déve­lop­per une appli­ca­tion Android (Java ? Non, merci, ça ira), j’ai commencé à coder un site web simple (HTML/CSS/JavaS­cript) en me disant que je pour­rais toujours la trans­for­mer en progres­sive web app (PWA) par la suite.

Une PWA est une page web qui s’ins­talle sur votre télé­phone comme une appli­ca­tion native. Les éven­tuelles données sont stockées de façon locale si vous êtes hors ligne et synchro­ni­sées lors du retour en ligne.

J’ai donc déve­loppé mon appli­ca­tion, que j’ai commencé par appe­ler « Next Book », puisque le but était de garder la trace de mes livres à ache­ter. Cepen­dant, après discus­sion avec quelques amis, je me suis rendu compte que je pouvais utili­ser cette appli­ca­tion pour n’im­porte quel type de liste : une liste de courses, avec le nombre d’ar­ticles à ache­ter par exemple. Je l’ai donc renom­mée en Nexi (pour NEXt Item, « élément suivant » en français).

Au menu, donc :

• appli­ca­tion en javas­cript avec Alpi­neJS ;
• CSS généré avec Tail­windCSS ;
• données stockées en local via IndexedDB grâce à JsStore ;
• utili­sa­tion de l’ex­ten­sion de navi­ga­teur WAVE pour m’as­su­rer de l’ac­ces­si­bi­lité de Nexi.

À mon cahier des charges, j’ai ajouté quelques petites choses :

• gestion des thèmes clairs et sombres grâce à la fonc­tion­na­lité CSS prefers-color-scheme ;
• multi-langue avec détec­tion du langage du navi­ga­teur mais avec possi­bi­lité de choi­sir la langue que l’on souhaite (code large­ment repris de celui de WemaWema) ;
• possi­bi­lité de décré­men­ter le nombre (pour une liste de course, ne pouvoir qu’in­cré­men­ter le nombre n’est pas très pratique) ;
• export et import des données.

Aucune donnée n’est envoyée à un quel­conque serveur, tout reste dans le navi­ga­teur. J’avoue que j’avais envie d’al­ler vite et pas du tout envie de devoir déve­lop­per un serveur en plus.

Vous pouvez utili­ser Nexi sur https://nexi.fiat-tux.fr/ (qui est une Gitlab Page sur Frama­git, j’avais la flemme de rajou­ter un site sur mon serveur).

S’il y en a qui ont utilisé l’adresse que j’ai diffusé sur Masto­don ces derniers jours, https://fiat-tux.fr/nexi, je vous conseille d’ex­por­ter vos données et d’al­ler sur la nouvelle adresse pour les y impor­ter : je ne sais pas pendant combien de temps je garde­rais l’an­cienne adresse active.

Pour ceux qui se demandent quel est l’ori­gine de logo, c’est fort simple : Nexi me permet de passer rapi­de­ment un élément de la sous-liste « En cours » du dessus à la sous-liste « Suivant » du dessous. Le logo est donc une repré­sen­ta­tion de cette fonc­tion­na­lité : ce sont deux flèches, l’une poin­tant vers le haut et l’autre vert le bas 🙂

Pour instal­ler Nexi sur votre smart­phone, allez sur le site puis regar­dez dans le menu de votre navi­ga­teur : Fire­fox me propose un simple mais effi­cace « Instal­ler » (j’ignore comment font les autres navi­ga­teurs).

Le dépôt git de Nexi est sur Frama­git : https://frama­git.org/fiat-tux/hat-soft­wares/nexi, n’hé­si­tez pas à créer des tickets et à contri­buer, ou à instal­ler Nexi chez vous : c’est aussi simple que de dépo­ser les fichiers du dépôt sur le serveur web 🙂 Il est aussi possible de contri­buer en tradui­sant Nexi sur https://weblate.frama­soft.org/projects/nexi/fron­tend/.

Crédit : Photo par David Ballew sur Unsplash

#alpine #indexeddb #jsstore #liste #nexi #pwa #tailwindcss #wave

https://fiat-tux.fr/2020/09/09/nexi-un-nouveau-logiciel-de-gestion-de-listes/