nav[aria-label="Primary Navigation"] { padding: 0; & ul { list-style: none; width: 100%; display: flex; flex-direction: row; justify-content: start; align-items: start; gap: 30px; padding: 0; & li { margin: 0; } & ul li { list-style: none; } } }

Child Item

Using implicit grant on frontend web app, where to safely store access code?

cloudlife

Sorry I'm still quite new to web development, but it seems like I wouldn't be able to save the access code into an httponly cookie. I've read that Angular has a way of sending cookies for requests that are only coming from my domain, which would deal with CSRF while the httponly deals with XSS.

https://stormpath.com/blog/where-to-store-your-jwts-cookies-vs-html5-web-storage

Therefore in order to maintain user session, and keep them logged in across multiple sessions, is to save it into localStorage? Is this right or is there another way?

If I do save it into localStorage, I would need to be very careful about XSS attacks, particularly code libraries that could be potentially compromised?

Any advice, even just a good article for reference, would be greatly appreciated!

Find more posts tagged with

API

Abuse

Accepted answers

Greg-DB

The API v2 Dropbox JavaScript SDK does not handle access token storage automatically. It is left to the developer to decide what makes sense for their app/platform.

All comments

Greg-DB

We're happy to help with any issues or questions you have regarding the Dropbox API itself, but we can't offer app security advice. If you have any security questions, you should consult with a security professional.

That said, using local storage sounds like a reasonable solution in your case, but I can't speak to the security aspects.

cloudlife

Thanks for the reply! Would I be able to ask you about how the dropbox javascript SDK handles secure storage of the access code? Or is that left to the developer? Thanks again

Greg-DB

The API v2 Dropbox JavaScript SDK does not handle access token storage automatically. It is left to the developer to decide what makes sense for their app/platform.