I wrote my own web based password manager in php, it works locally, and one attack vector I've always considered is a malicious site could perhaps use XSS attack to fetch a password from the site if I'm logged in to it. Now since this is a fully custom thing that I never released to the public, the odds of that are super slim, but let's just pretend this was actually a mainstream piece of software, what is the best way to prevent this sort of attack?
Essentially say you login to the password manager, so you get a cookie for a session so the next time you go you don't have to login again. You can look at all the passwords. So let's say you were to go to a malicious site, it could then use javascript to do a http request to the local site from within your browser, since you're logged in to the site, it will have access, and then it can relay password info to it's own server via an ajax request or similar call. The js is basically telling your browser "go to this site, get this info, and send it to this server".
Is there a way from a coding perspective to actually stop that from being possible other than very short session times? Or is this just the nature of the beast and why banks and such do in fact have such short session times?
Essentially say you login to the password manager, so you get a cookie for a session so the next time you go you don't have to login again. You can look at all the passwords. So let's say you were to go to a malicious site, it could then use javascript to do a http request to the local site from within your browser, since you're logged in to the site, it will have access, and then it can relay password info to it's own server via an ajax request or similar call. The js is basically telling your browser "go to this site, get this info, and send it to this server".
Is there a way from a coding perspective to actually stop that from being possible other than very short session times? Or is this just the nature of the beast and why banks and such do in fact have such short session times?