Is storing authentication tokens in local storage with a strong CSP safe?
Whenever the topic comes up, almost every source recommends to never store authentication tokens in a place where they can be accessed by client-side Javascript. The recommendation is almost always to store them in an http-only cookie to protect them.
My interpretation of this advice is that this is meant to limit the damage XSS attacks could cause as the http-only cookie wouldn't be accessible from JS. The part I never see addressed though is if and how the ability to set strong Content Security Policies changes the risk calculation here.
If I start a new application and set a strong CSP that prohibits all JS except the one I bundle with my app, XSS attacks should be essentially impossible in all non-ancient browsers (and a modern JS app wouldn't run in the ancient ones anyway). And cookies add other potential security issues like CSRF, though there are also modern security features to mitigate those.
Assuming that you set a strong Content Security Policy, is there still a security advantage of storing credentials/sessions in cookies over local storage?
