InterviewLane
Back to Browser Internals
Browser Internals
easy
mid

If you store data in localStorage on one domain, can another domain access it?

No — localStorage is scoped by **origin** (scheme + host + port). `https://a.com` and `https://b.com` see different storage. But same origin includes subdomains only if you configure document.domain (deprecated) or use postMessage from an embedded iframe of the original origin. Caveat: XSS on the original site reads it freely.

3 min read·~5 min to think through
Sign in to bookmark & track progress

localStorage is partitioned by origin. Origin = scheme + host + port. https://a.comhttps://b.comhttp://a.comhttps://sub.a.comhttps://a.com:8080.

Same-origin examples

URL AURL BSame origin?
https://a.com/xhttps://a.com/yYes
https://a.comhttps://www.a.comNo (different host)
https://a.comhttp://a.comNo (different scheme)
https://a.comhttps://a.com:8443No (different port)

What about subdomains?

Different by default. Workarounds:

  • document.domain = "a.com"deprecated, blocked by Origin-Agent-Cluster headers, do not use for new code.
  • An iframe on the parent origin that postMessages to the subdomain. The subdomain still can't read directly.
  • A shared backend that issues the same JWT to both.

How another site could still read it

  1. XSS on a.com — any injected JS runs at the origin, sees localStorage.
  2. Browser extensions with broad permissions.
  3. Devtools / physical access — local data is local.

That's why never store secrets in localStorage. Specifically:

  • Auth tokens (use httpOnly cookies — JS can't read).
  • API keys.
  • PII unless you've thought through XSS risk.

Related storage scopes

StorageScope
localStorageOrigin, persistent
sessionStorageOrigin + tab, cleared on tab close
CookiesDomain + path; can scope across subdomains
IndexedDBOrigin
Cache API / Service WorkersOrigin

Cross-origin sharing

If you genuinely need cross-origin storage:

  • Shared cookie scoped to parent domain (Domain=.example.com).
  • postMessage between an iframe and the parent.
  • Server-side state keyed by user.

But "share localStorage across origins" is not directly possible — it's a deliberate browser isolation.

Interview framing

"localStorage is origin-scoped (scheme + host + port). a.com and b.com can't read each other; a.com and sub.a.com can't either by default. The browser enforces this. But anything that runs JS on the origin — XSS, an extension, devtools — can read it freely. So never store auth tokens or secrets there; use httpOnly cookies. For legitimate cross-origin sharing, use a shared cookie scoped to the parent domain, postMessage between iframes, or server-side state."

Follow-up questions

  • How is sessionStorage different?
  • Why are httpOnly cookies safer for auth tokens?
  • How does Site Isolation / partitioning affect this?

Common mistakes

  • Storing JWTs in localStorage and being surprised by XSS exposure.
  • Assuming subdomains share storage.
  • Treating localStorage as 'secure' because the user can't easily see it.

Performance considerations

  • Synchronous API — large blobs in localStorage block the main thread. For anything > a few KB, use IndexedDB.

Edge cases

  • Browser storage partitioning (Firefox total cookie protection, Safari ITP) changes 3rd-party storage rules.
  • File:// origins behave specially.
  • Service worker scope subtleties.

Real-world examples

  • Auth library docs warning against localStorage tokens, OWASP cheatsheets on storage.

Senior engineer discussion

Seniors anchor on the origin model and the XSS attack surface. They explain why httpOnly + SameSite cookies are the right place for auth tokens, and reserve localStorage for non-sensitive user prefs.

Related questions