2 comments

[ 5.4 ms ] story [ 16.2 ms ] thread
What happens if an attacker (say through xss) gets a copy of the JWT? Can it then be used to make legit calls to the API?
Well, if someone really manages to get a copy of that token from the localStorage of a user's browser: Yes. However, there's now way to get access to the localStorage from a different domain (as far as I know). The attacker would have to place a script on the site itself and if he's able to do that, he's probably also able to access its contents.

When talking about cookies, there's also a way to limit those to certain URLs.