I read this whole post and came across that answer for storing JWT tokens on frontend : https://stackoverflow.com/a/63593954
To sum-up :
Store your access token in memory and store your refresh token in the cookie
Why is this safe from CSRF?
Although a form submit to /refresh_token will work and a new access token will be returned, the attacker can't read the response if they're using an HTML form. To prevent the attacker from successfully making a fetch or AJAX request and read the response, this requires the Authorization Server's CORS policy to be set up correctly to prevent requests from unauthorized websites.
You can read more about it here:
I do not understand the following part : "Although a form submit to /refresh_token will work and a new access token will be returned, the attacker can't read the response if they're using an HTML form"
To me, if the attacker manage to inject Javascript Code through XSS that will send an HTTP to /refreshtoken, then he will be able to read the response, thus retrieve the AccessToken and maybe send it to his malicious external server to us it.
Am I missing something? Thanks a lot !
