Solutionunvalidated
Safe storage is either http only cookie storage or Session Storage — store JWTs on the client. Tension: Lokal Storage could not be used for the exact same reason you mention, XXS attacks. Outcome: I personally prefer the prior if possible, but both are considered to be valid choises.
d378c5b2-dc0e-4bda-9583-6f52858bb44c
Safe storage is either http only cookie storage or Session Storage — store JWTs on the client. Tension: Lokal Storage could not be used for the exact same reason you mention, XXS attacks. Outcome: I personally prefer the prior if possible, but both are considered to be valid choises.