Really good article for opening the eyes of so many people. I want to get your opinion on something though.
So as far as I understand, it would be a bad thing to have a site that logs you in and sets a token in localStorage to be used for further authentication. This is bad because if you're vulnerable to XSS, the token can be used. One better alternative is to use a secure, httpOnly cookie (with SameSite, which isn't supported everywhere, but I'll give you that one because why the crap wasn't that in the original cookie spec, right?) with a JavaScript accessible csrf token. Aren't you still vulnerable to the same attack? In all of the ways that the csrf token is made available, it's accessible to the client. Either a metatag, or hidden input field, if it's in the DOM, it's accessible via JavaScript. Given, it's an extra step for the attacker to take, but any Pen Tester worth his salt will check csrf vulnerabilities in his first five minutes of testing. Just saying, XSS should probably be the focus in protecting your site because browser security is a bad joke.
I still agree with you, that localStorage should stop being used for authentication tokens and the like because support for localStorage can be spotty and unpredictable. I think it would be perfect to use localStorage as a local cache (of non-sensitive information).
Really good article for opening the eyes of so many people. I want to get your opinion on something though.
So as far as I understand, it would be a bad thing to have a site that logs you in and sets a token in localStorage to be used for further authentication. This is bad because if you're vulnerable to XSS, the token can be used. One better alternative is to use a secure, httpOnly cookie (with SameSite, which isn't supported everywhere, but I'll give you that one because why the crap wasn't that in the original cookie spec, right?) with a JavaScript accessible csrf token. Aren't you still vulnerable to the same attack? In all of the ways that the csrf token is made available, it's accessible to the client. Either a metatag, or hidden input field, if it's in the DOM, it's accessible via JavaScript. Given, it's an extra step for the attacker to take, but any Pen Tester worth his salt will check csrf vulnerabilities in his first five minutes of testing. Just saying, XSS should probably be the focus in protecting your site because browser security is a bad joke.
I still agree with you, that localStorage should stop being used for authentication tokens and the like because support for localStorage can be spotty and unpredictable. I think it would be perfect to use localStorage as a local cache (of non-sensitive information).
Yes
Yes