I'm building a web application (API + SPA Rails) to learn / have fun and I'm researching authentication. The most commonly recommended approach for authenticating SPAs that I have read is to place the authentication token (such as a JWT) in a secure HTTP cookie only for protect it from XSS. This seems to have some consequences:
But what is the real disadvantage of just storing the authentication token in the browser's storage memory (ie, session storage)? XSS becomes slightly more convenient for the attacker? Even with an HTTP-only cookie, the attacker can still use the authentication token by addressing requests directly from the site, because if there is an XSS vulnerability, it is not necessary to be able to read the token to use it.
It seems that the popular recommendation only complicates things to protect against the CSRF simply to make things a bit more difficult for the attacker in the case of XSS. Due to the amount of resources making these recommendations, I feel that I am missing something and I would appreciate any comments or clarification!
Here are some sources I've read that have been quite categorical against browser storage for authentication tokens: