Well, if someone really manages to get a copy of that token from the localStorage of a user's browser: Yes. However, there's now way to get access to the localStorage from a different domain (as far as I know). The attacker would have to place a script on the site itself and if he's able to do that, he's probably also able to access its contents.
When talking about cookies, there's also a way to limit those to certain URLs.
2 comments
[ 5.4 ms ] story [ 16.2 ms ] threadWhen talking about cookies, there's also a way to limit those to certain URLs.