[jeswin]

> At the time I knew literally nothing but I knew that was dumb as hell

Why? If you're worried about XSS, remember you're already toast in a million ways - including the ability to spoof a login/password form.

[gravlaks]

One reason is if you store refreshTokens in localStorage, a hacker's XSS attack can send the refreshToken to himself, and keep refresing the token forever (or until somebody actively invalidates the session) - and thus use the token for whatever evil purpose.

[totony]

Can't you just read document.cookies to get the token at that point?

[nerdkid93]

I believe refresh tokens are supposed to be HTTP Only