
Why JSON Web Tokens Are Truly Awesome - mindrun
https://medium.com/@leo/why-json-web-tokens-are-truly-awesome-23fb80b7fc20#.uch8c03nn
======
bikamonki
What happens if an attacker (say through xss) gets a copy of the JWT? Can it
then be used to make legit calls to the API?

~~~
mindrun
Well, if someone really manages to get a copy of that token from the
localStorage of a user's browser: Yes. However, there's now way to get access
to the localStorage from a different domain (as far as I know). The attacker
would have to place a script on the site itself and if he's able to do that,
he's probably also able to access its contents.

When talking about cookies, there's also a way to limit those to certain URLs.

