Another interesting approach is the one used in ProtonMail, using the SessionVars trick by Thomas Frank.
It combines in-memory storage for XSS safety, and a combination of SessionStorage and `window.name` to split the token into secret random parts, each taking its separate channel, to ensure the token survives a page reload.
I wrote about the details on how it works [1] and packed a TypeScript implementation on NPM [2].
It combines in-memory storage for XSS safety, and a combination of SessionStorage and `window.name` to split the token into secret random parts, each taking its separate channel, to ensure the token survives a page reload.
I wrote about the details on how it works [1] and packed a TypeScript implementation on NPM [2].
[1] https://francoisbest.com/posts/2019/how-to-store-e2ee-keys-i...
[2] https://github.com/47ng/session-keystore