[exelib]

Well, where you store your JWT on the client? LocalStorage? Then you have probably much broader surface for an attacker.

In case of XSS you lost anyway. But with HttpOnly-Cookies the attacker can't steal your token and do everything from everywhere with your token.

[AmericanChopper]

XSS is a problem you have to solve no matter where you store your authentication material. If you have an XSS, then an attacker can do anything they want on your web pages. I’m not sure you’re gaining anything by saying “anything but steal the auth token”. If you store it as a cookie, now you have to solve XSS and CSRF, so I’d say that makes your attack surface broader. Especially considering front end frameworks have become very good at preventing XSS, and can’t do anything about CSRF.