Hacker News new | ask | show | jobs
by jusob 2482 days ago
But any XSS would give access to your authentication token, this is why you should never store it in local storage. Cookies have the httponly flag that prevents javascript from accessing the cookie in case of XSS.
2 comments
amlozano 2482 days ago
HttpOnly doesn't really do much to stop an attacker that already has XSS. The attacker just makes the XSS perform the interactions they want directly instead of bothering to steal the cookie.

James Kettle wrote a good blog post that argues that webstorage is probably a better spot for session tokens here: https://portswigger.net/blog/web-storage-the-lesser-evil-for...

link
paulddraper 2482 days ago
XSS is usually really, really bad anyway.

CSP plus trusted scripts...you should be working hard to prevent XSS.

link
earthboundkid 2482 days ago
Ideally, yes. In the current advertising market? No.
link
paulddraper 2481 days ago
I don't know much about advertising.

Can't they be easily handled with an iframe?

link