[braveyellowtoad]

Out of curiosity, why are cookies preferred to local storage ?

[bpicolo]

As the others said - XSS. Stored XSS can still be a vulnerability with secure cookies, but locally stored tokens are a dramatically easier thing to take advantage of as an attacker, as they can just exfiltrate the token and hit your APIs with it.

For web browsers, cookie-based auth solves a ton of browser-specific problems that history has spent a long time building up answers for.

[maldini94]

XSS attacks.

Also note that the cookies should be http only and with the secure flag

[andrewnicolalde]

Any JavaScript on the same origin can read localstorage IIRC.