Open justinsunho opened 3 years ago
herokuapp.com
is included in the Mozilla Foundation’s Public Suffix List. This list is used in recent versions of several browsers, such as Firefox, Chrome and Opera, to limit how broadly a cookie may be scoped. In other words, in browsers that support the functionality, applications in the herokuapp.com
domain are prevented from setting cookies for *.herokuapp.com
.
So using localStorage
is the only option for saving tokens.
Noticed that
localStorage
is being used to store access and refresh tokens, and Local Storage can be vulnerable to XSS attacks. An alternative could be using http-only cookies.See:
Ofc, there are limitations (time + complexity) for deciding how the tokens can be stored. I mainly wanted to open up discussion on possible solutions and considerations.