Why is storing API tokens in cookies advised for SPA when XSS cancels out CSRF

2
votes

A lot has been written about the secure way of storing tokens in typical single page applications (cookies vs. local storage) and using cookies is often presented as the better option. [1] [2] [3]

The reason is that storing sesssion data in local storage is susceptible to XSS attacks. Cookies have CSRF problem but from the texts it seems it shouldn't be a problem to implement a CSRF protection.

However I can't imagine CSRF protection of REST API for an SPA which would not be vulnerable to XSS (unless we are talking about reauthentication and CAPTCHAs) and even OWASP mentions in CSRF Prevention Cheat Sheet:

...any cross-site scripting vulnerability can be used to defeat all CSRF mitigation techniques available in the market today (except mitigation techniques that involve user interaction...

So if cookies don't have XSS problem but do have CSRF problem but CSRF is useless if XSS is present why are they considered better option ? In the case this is not true, what would be the CSRF protection immune to XSS ?

1
securitycookieslocal-storagesingle-page-applicationcsrf

1 Answers

3
votes

Saying that storing the auth token in an httpOnly cookie is "immune" to xss only means that the token itself cannot be accessed via xss. In no way does it mean that the application may not be vulnerable.

If the application is vulnerable to XSS (which it still can be ofc), anything can be accessed on the client, including the csrf token, or any data shown or processed in the client. Only the login/auth token in the httpOnly cookie is inaccessible, which means the attacker can't at least steal the session. But that's far from being safe from xss.