[frankpf]

The localStorage vs cookies slide is wrong. localStorage does not open you up to XSS, you can have XSS with cookies as well. What the author probably meant is that cookies marked with `HttpOnly` cannot be exfiltrated via XSS, which is true, but:

1. Preventing exfiltration is not very useful. If you have an XSS, you're already in trouble. Instead of exfiltrating the cookie, the XSS author could send a POST to the endpoint that changes the password, for example.

2. You can also prevent localStorage exfiltration with either CSP's `connect-src` or a service worker, so that's not an advantage for cookies.

For a single page application, I would say that there is zero advantage to using cookies instead of localStorage for most use cases. In fact, it's harmful because now you have to deal with CSRF.