Security

This document is a work in progress.

Local storage

Certain data is stored in your browser’s local storage (unencrypted):

  • Local environment variables

  • Local settings (including API keys for Wingman providers)

The data is not accessible by other add-ins.

Workbook-scoped environment variables and settings are stored inside the Excel workbook itself (unencrypted).

Risks and mitigations

With local storage, there are a few risks to be aware of:

  • Cross-Site Scripting (XSS): If an attacker could inject malicious JavaScript into the add-in, they could read local storage. xlwings Lite uses a restrictive Content Security Policy (CSP) that blocks inline scripts, disallows eval(), and only permits scripts from its own origin. This substantially reduces the risk of XSS.

  • Supply chain attacks: A compromised third-party dependency could access local storage. xlwings Lite uses GitHub Dependabot to help identify known vulnerable dependencies.

  • CDN (Content Delivery Network) compromise: External dependencies loaded from a CDN could be tampered with. xlwings Lite protects against this by using Subresource Integrity (SRI), which causes the browser to reject any file whose hash doesn’t match the expected value. As per Microsoft policy, Office.js is loaded without SRI.

  • Physical access: Anyone with access to your computer could inspect local storage.

Consider using low‑privilege, rotatable API keys and setting spending limits on LLM providers (e.g., ChatGPT) to reduce potential impact.