Hello, I want to use Auth0-spa-js lib and I saw that token are stored in memory.
I know that’s better than store them in localstore (that can be exposed to XSS attack)
But, if i load a malicious script, can he stole tokens stored in memory ?
I supose tokens are stored in simple vars, so why can’t they be exposed to this type of attack ?
The cacheLocation: 'localstorage' feature will allow the caching of data such as ID and access tokens to be stored in local storage. Exercising this option changes the security characteristics of your application and should not be used lightly . Extra care should be taken to mitigate against XSS attacks and minimize the risk of tokens being stolen from local storage.