Hat off, You made it! After reading and skimming Show HN: Device-Bound Session Tokens in JavaScript ( https://news.ycombinator.com/item?id=40052684 ) I had "same" idea to explore PoC, but never done. Thanks!
throwaway888abc | 12 days ago
Hat off, You made it! After reading and skimming Show HN: Device-Bound Session Tokens in JavaScript ( https://news.ycombinator.com/item?id=40052684 ) I had "same" idea to explore PoC, but never done. Thanks!
so I don't fully understand what you're preventing
exports the private key if I have a XSS vuln.The recommendation for IP address in the JWT is good, but I don't understand your last recommendation of 1) sending the JWT, 2) additionally sending the base64 JWT in a header 3) sending the signature in the header. The crypto.subtle api only works on https domains so you're not defending against mitm attacks on unsecure networks either. And if we can't trust TLS what can we trust on the web?