Would it be possible/better to split the token between localstorage and a cookie? This would prevent against CSRF and XSS token-stealing attacks at the same time. Part of the token is only accessible by the actual site because it is stored in localstorage, and part of the token in not accessible by JS at all, but could be sent from any site.
Yes, it has been mentioned in other comments too. It’s a nice approach!!
We're a place where coders share, stay up-to-date and grow their careers.
We strive for transparency and don't collect excess data.