In Phoenix example, token for socket is written to html and front-end connects to socket using that.
I think it’s vulnerable to XSS. Isn’t it?
Is there a way to connect socket with token in secure?
3 Likes
I put it in a cookie and then use javascript on the page to read it from the cookie to put into the socket constructor.
2 Likes
But cookies that can be accessed by javascript are also vulnerable to XSS.
cookies need to be used with HttpOnly flag to be protected from access via javascript.
1 Like
That only happens if the site is vulnerable to XSS (like not escaping output strings on templates). If you can put proper guards in place, it can be secure. Thankfully Phoenix (eex) have sensible defaults that prevent us from XSS (e.g. <%= %> automatically escape strings).
Although I agree it’s less guarded than HttpOnly cookies that get sent with every requests.
3 Likes
