|
|
|
|
|
|
by johncolanduoni
969 days ago
|
|
|
I’d like to understand the threat model under which this is supposed to be superior to a bearer token stored in a heavily restricted (__Host- prefixed, Secure, HttpOnly, SameSite=Lax) cookie. Neither can be exfiltrated by JavaScript so they’re in pretty much the same spot as far as XSS is concerned. Both can be captured if the user agent is compromised so there’s no difference there AFAICT. Is interception of traffic or errant logging really a big source of compromised bearer tokens? |
|
|