Is auth0-spa-js storing tokens in localStorage vulnerable to XSS?

Hello, I want to use Auth0-spa-js lib and I saw that token are stored in memory.
I know that’s better than store them in localstore (that can be exposed to XSS attack)

But, if i load a malicious script, can he stole tokens stored in memory ?
I supose tokens are stored in simple vars, so why can’t they be exposed to this type of attack ?

Hi @quequierebego,

Welcome to the Auth0 Community!

As stated in the auth0-spa-js SDK’s GitHub repo:

The cacheLocation: 'localstorage' feature will allow the caching of data such as ID and access tokens to be stored in local storage. Exercising this option changes the security characteristics of your application and should not be used lightly . Extra care should be taken to mitigate against XSS attacks and minimize the risk of tokens being stolen from local storage.

Let me know if you have any questions!

I don’t plan to use localstorage option.
The documentation say

The Auth0 SPA SDK stores tokens in memory by default.

What i want to know if that “memory” storage could be vulnerable to malicious script who can access to that memory to stole tokens.

Here is a SO post that answers your question:

cookies - How storing JWT in-memory is not vulnerable to XSS? - Stack Overflow.

Thank you ! that’s solve my question :innocent:

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.