I'm developing a pure javascript app that will run entirely on the client side and MUST BE VERY SECURE.
At the start I need to get a password to decrypt a file, after that I don't need to save it for any future uses.
So my question is: can the window.prompt() be more secure to get this password than write it in a <input> field and retrieve it through document.getElementById().value?
Thanks
No, there is no guarantee of practical difference in security. An injected script could hook window.prompt to intercept anything entered. For example:
// In the attacker's script
const _prompt = window.prompt;
window.prompt = function(p) {
const v = _prompt(p);
alert(`I intercepted ${v}`);
return v;
}
// In your script
window.prompt("Enter your secret password");
You could perhaps take a private handle to window.prompt, but you'd have to be certain that it happened prior to point that a script could be injected.