App Suite Security

Client-side caches

OX App Suite uses client-side caching to improve performance, availability and user experience in general. They should be considered regarding account security and content protection.

Web Storage

Web storage offers two different storage areas—local storage and session storage—that differ in scope and lifetime.

Session Storage

Session storage is per-page-per-window and is limited to the lifetime of the browser window. Session storage is intended to allow separate instances of the same web application to run in different windows without interfering with each other, a use case that's not well supported by cookies.

Local storage

The local storage is a simple key/value storage and is designed for data that spans multiple windows, and lasts beyond the current session. In particular, Web applications may wish to store megabytes of user data, such as entire user-authored documents or a user's mailbox, on the client side for performance reasons. Data placed in local storage is per domain. It is available to all scripts from the domain that originally stored the data and persists after the browser is closed. W3C: https://www.w3.org/TR/webstorage/open in new window.

Indexed Database API

The Indexed Database API, or Indexed DB (formerly WebSimpleDB), is a proposed web browser standard interface for a local database of records holding simple values and hierarchical objects. W3C: https://www.w3.org/TR/2013/CR-IndexedDB-20130704/open in new window.

Web SQL Database

Web SQL Database is a web page API for storing data in databases that can accessed using a variant of SQL. It is mainly used as fallback on devices where we can't use the Indexed Database API W3C: https://www.w3.org/TR/webdatabase/open in new window.

Application Cache API

In order to enable users to continue interacting with web applications and documents even when their network connection is unavailable — for instance, because they are traveling outside their ISP's coverage area — authors can provide a manifest which lists the files that are needed for the web application to work offline and which causes the user's browser to keep a copy of the files for use offline. W3C: https://www.w3.org/TR/2011/WD-html5-20110525/offline.htmlopen in new window.

Cache Usage

For static files like CSS, fonts, images and some JavaScript source files, App Suite uses Application Cache. This storage only gets invalidated by App Suite updates and contains no security relevant data. Depending on the browsers capabilities the data of nearly all API requests will be stored either in the local storage or Indexed DB.

This implies that access to these caches is possible if file system access to the client is available during an active session. To prevent this behavior on public machines, users should uncheck the login option "Stay signed in". In this mode no sensitive information will be written to any cache. Operators may consider this setting as default when using external authentication systems.

Files requested by App Suites modular dynamic code loading are also stored for caching purposes in the Indexed DB. As a fallback for mobile devices, OX App Suite uses Web SQL. When logging out of an active session OX App Suite clears all caches, except for the Application Cache, which does not store sensitive information.