re: Please Stop Using Local Storage VIEW POST

re: I just want to jump in real quick as one of those people who like to use articles like this to make blanket decisions. A few points as why security...

I would argue that using an httpOnly cookie doesn't add any security. At best you could say that it might make it slightly less convenient for an attacker to carry out the XSS attack.

I wrote a more detailed technical explanation here: dev.to/jondubois/comment/373l

Concur. There's no threat modeling that I could think of that would hold up httpOnly as being a significant factor if the threat vector up to that point has already leveraged XSS - so your local JS context is already 0wned - at this point, the exploit code just needs to directly execute from the compromised browser instead of sending the auth token to a remote server to be exploited from there. Considering the local context is already compromised, that hardly seems more than an inconvenience to the attacker, as jondubois indicated.

code of conduct - report abuse