Security of socket token

In Phoenix example, token for socket is written to html and front-end connects to socket using that.

I think it’s vulnerable to XSS. Isn’t it?

Is there a way to connect socket with token in secure?


I put it in a cookie and then use javascript on the page to read it from the cookie to put into the socket constructor.


But cookies that can be accessed by javascript are also vulnerable to XSS.
cookies need to be used with HttpOnly flag to be protected from access via javascript.

1 Like

That only happens if the site is vulnerable to XSS (like not escaping output strings on templates). If you can put proper guards in place, it can be secure. Thankfully Phoenix (eex) have sensible defaults that prevent us from XSS (e.g. <%= %> automatically escape strings).

Although I agree it’s less guarded than HttpOnly cookies that get sent with every requests.