CSRF protection with JSON Web Tokens
Strictly speaking, yes, anything stored in local/session storage (which I’ll call HTML5 Storage) could be stolen in a cross-site scripting (XSS) attack. See this article. There are a lot of moving parts to consider, however. First, there are subtle differences in how HTML5 Storage and cookies are scoped with respect to JavaScript access. HTML5 Storage … Read more