But any XSS would give access to your authentication token, this is why you should never store it in local storage. Cookies have the httponly flag that prevents javascript from accessing the cookie in case of XSS.
HttpOnly doesn't really do much to stop an attacker that already has XSS. The attacker just makes the XSS perform the interactions they want directly instead of bothering to steal the cookie.
I would love to move away from cookies. They're included in every single network request which really bloats things up. By passing along data manually we could send only what is needed.
> Could we just avoid cookies altogether, and store session info in local storage?
Several possible issues there:
- If the session is large, it eats space on the user's machine and bandwidth in requests
- The session can't be shared across devices
- Security concerns. You don't want to trust the user to tell you what their current state is - especially if it's "I have this much money in my account" and the like. Even if you encrypted the data, they could resend the same state at a later time - "oh look, I have a full wallet again!"
You're much safer if all the user sends is "here's who I am" and every bit of associated information is under your control server-side.
But as you say, that would require JavaScript to be available, making it impossible to build web apps that store user state without relying on JS (well, I guess there’s HTTP Basic Auth) and breaking a large part of the internet in the process. Not everything is a client-side single-page web app.
I know what you're saying, but it's 2019 and JavaScript is everywhere. I think most sites rely on at least some JavaScript to provide a reasonable experience for users. Do you have any examples of popular web apps that don't use js?
I've been getting more aggressive about disabling Javascript by default, and for all that people complain, I've been pleasantly surprised how many sites still mostly work without it (some news sites work even better). A larger portion of the web than you might expect still respects the division between content, styling, and functionality.
Hackernews and Reddit (at least the old version) are the two examples that spring to the top of my mind as sites that I sometimes log into without Javascript. Hackernews works so well that I sometimes don't realize I have Javascript turned off. A lot of forums fall into that category.
I'm certainly not anti-JS, I like the language quite a bit and often stick up for it when it gets bashed on HN. But the ability to fall back on non-JS solutions to some problems is an important part of the web, and I wouldn't like to see it disappear. Particularly while we're in the middle of a fight over user-tracking. I think it's important to support graceful fallbacks, and cookies are a pretty good way of doing that.
> I've been getting more aggressive about disabling Javascript by default
What is the opposition to javascript exactly? Is it a privacy matter, you want to block all ad trackers? Do ad blocker plugins not suffice? Or are you concerned about security vulnerabilities with javascript? Or is there something else I'm not getting?
It's mostly privacy. It's a very small amount about security. It's a little bit about data-usage and a few other annoyances.
Where privacy is concerned, we're currently losing the war on fingerprinting. I don't think we're going to lose the war on fingerprinting in the long run, but there's just a lot of stuff we need to do with the language and it's going to take a little while before we get to a point where I feel comfortable saying that arbitrary Javascript can't identify my computer. It's just something we ignored for a long time and we have a long ways to go.
UBlock Origin is really good, but privacy is a continuum. So for a non-technical person, I'd install UBlock Origin and call it a day. For someone who's familiar with the web, I'd install UMatrix with the default settings. For someone who's really familiar with the web, and who really wants to be safe, I'd install UMatrix and switch a few default settings (disabling cookies by default and disabling Javascript by default).
Each step there will make you slightly safer, depending on what percentage of malicious code you want to block. Sometimes trackers are served as 1st-party requests.
I don't have any opposition to Javascript in general; there are more than a few native apps that I wish were just web apps, because the web a better sandbox (and frankly a better platform) than most native environments. It's just a little complicated because we're currently in the middle of a fight over how the web should work.
So it's not an indefinite, "no web-code ever" position. It's "be more careful than usual, because an abnormally high number of bad actors are focused on this platform, and not everything is safe-by-default." Ignoring the debate over site-breakage, the changes here around CSRF should be a decent step in that direction.
On a less practical note, it's also because I can. I really like Javascript, a lot. I also really like separation of concerns, and I think the separation between content and functionality is a really good architecture decision that people should pay attention to. On a purely aesthetic, emotional level I like that I can load a page without executing JS. Heck, occasionally I'll even turn off CSS. There's very little practical reason for that, other than a kind of irrational, "I like that the web lets me do this, most other platforms don't, and it makes me happy to remind myself I can."
But I would guess most people don't fall into that category, that's probably just me being weird.
Oh, I agree that just about all apps use JavaScript to some degree, but the question is whether that’s for progressive enhancement or as a fundamental requirement. Wikipedia for example works fine without JS (including editing). Pinboard is one of my favourite apps and uses hardly any JS. That one’s perhaps a bit niche, but hell, even Gmail and Facebook still maintain basic “HTML versions” that deliver reasonable (some might say better) user experiences without JavaScript.
I build single-page web apps for a living, so I’m by no means opposed to JavaScript, but I think the web would be worse off if browsers imposed it as a requirement.
It is more work to emulate what you get for free by using cookies. You need to handle expiration etc yourself. Plus, you don’t have the protection of http only cookies if you go that route.
Sure it takes a bit of JS to pass the data as part of a request, but at least you're not prone to CSRF issues.
I'm not sure there are many use cases where I really need cookies if I have local storage and JS available.