top | item 26729493

(no title)

kadfak | 4 years ago

Leaking your auth tokens through XSS sucks more.

discuss

asabil|4 years ago

If you have an xss your problem is much bigger than leaking an ephemeral access token through localStorage

leipert|4 years ago

I don’t know whether you are referring to only local and session storage being feasible or not, but on can access cookies from JS as well.

AlbinoDrought|4 years ago

Normal cookies are JS-accessible, but HTTP-only cookies should not be: "A cookie with the HttpOnly attribute is inaccessible to the JavaScript Document.cookie API; it is sent only to the server."

https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#re...

fractionalhare|4 years ago

Which is why you use domain scoping, httpOnly and Secure cookie flags so they can only be read by matching hosts (with greater granularity than same-origin policy) over HTTPS and can’t be read by JavaScript. The Web Storage API does not offer these protections.