WRT Cookies vs Local Storage. Wouldn’t a malicious script be able to steal the cookies as well?
Cookies can have the httpOnly option set, in which case they are invisible to scripts.
ah right! thanks
I’m no expert on this, but from https://stackoverflow.com/questions/3220660/local-storage-vs-cookies
Cookies are vulnerable to CSRF, however. (But note https://lobste.rs/s/sesnky/csrf_is_really_dead ).