1. 1

    WRT Cookies vs Local Storage. Wouldn’t a malicious script be able to steal the cookies as well?

    1. 3

      Cookies can have the httpOnly option set, in which case they are invisible to scripts.

      1. 2

        ah right! thanks

      2. 3

        I’m no expert on this, but from https://stackoverflow.com/questions/3220660/local-storage-vs-cookies

        “Cookies, when used with the HttpOnly cookie flag, are not accessible through JavaScript, and are immune to XSS. You can also set the Secure cookie flag to guarantee the cookie is only sent over HTTPS.”

        Cookies are vulnerable to CSRF, however. (But note https://lobste.rs/s/sesnky/csrf_is_really_dead ).