feat: Share form secret keys across browser tabs using BroadcastChannel #203
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Problem
Users have to repeatedly enter their form secret key if they open multiple tabs with the same form. This hinders future bulk downloading of attachments (Issue #16) because there are multiple clicks involved in unlocking a response from a tab.
Solution
We utilize
BroadcastChannel
to request and broadcast the form secret key to other tabs.Tests
Security
BroadcastChannel
will only broadcast the message to scripts from the same origin (i.e.https://form.gov.sg
in practice) so all data should be controlled by scripts originating from FormSG. This does not store any data in browser-based storage (e.g. cookies or localStorage) so secrets would not be retained past the user closing all FormSG tabs containing the form.We do not use polyfills for
BroadcastChannel
as they usually involvelocalStorage
, which is not safe for secret key handling.Browser Compatibility
BroadcastChannel
is not available on Safari and IE 11, so this feature is not available on those two browsers. Current behavior where users have to upload the secret key on each tab will continue for users on those two browsers.