Sadly there isn't a satisfying answer to that. Anything that ... • Aaron Parecki

Adam Lewis https://twitter.com/lewiada • Apr 24
and what about for storing the access token in the browser?

Sadly there isn't a satisfying answer to that. Anything that your JS can use to store any token is vulnerable to XSS. The only secure option is cookies, but that won't work with OAuth. https://stormpath.com/blog/where-to-store-your-jwts-cookies-vs-html5-web-storage

Portland, Oregon • 75°F

Tue, Apr 24, 2018 12:07pm -07:00

1 like 3 replies
- Jim Manico
Have you written a response to this? Let me know the URL:
- Jim Manico manicode.com
  
  And even if you use HTTPOnly secure same-site cookies XSS can force a forged request of any nature: XSS is game over. Nothing today solves that issue. In the future maybe token binding will stop attackers from using stolen tokens... but not replaying them from the victims browser
  
  Tue, Apr 24, 2018 7:21pm +00:00 (via brid-gy.appspot.com)
- Jim Manico manicode.com
  
  tools.ietf.org/html/draft-iet…
  tools.ietf.org/html/draft-iet…
  tools.ietf.org/html/draft-iet…
  tools.ietf.org/html/draft-iet…
  openid.net/specs/openid-c…
  tools.ietf.org/html/draft-iet…
  
  Tue, Apr 24, 2018 7:18pm +00:00 (via brid-gy.appspot.com)
- Jim Manico manicode.com
  
  I agree. All browser storage methods can be abused by XSS. XSS is game over. You can try various techniques to verify different browser characteristics after theft but meh. Real answer is token binding standards of the future...
  
  Tue, Apr 24, 2018 7:18pm +00:00 (via brid-gy.appspot.com)

Posted in /replies using monocle.p3k.io