|
|
|
|
|
|
by somlor
3677 days ago
|
|
|
Sure. My reasoning: The localStorage token helps protect against CSRF, e.g., this token will not be submitted via a form embedded on another site (cookie will), therefore request will not be authenticated. In an XSS attack (aka "we're screwed"), the secure, HTTPOnly cookie at least adds an additional level of complexity above simply reading a single plaintext localStorage item. Perhaps this is naive? Of course I also take every precaution to prevent XSS from happening at all. Relevant[1]. --- [1] http://www.redotheweb.com/2015/11/09/api-security.html |
|
|