Firebase authentication

[William Turmel]

Hi,

i was wondering why does firebase authentication stores auth infos (access token, refresh token, etc) in the indexedDb of the browser. 

I read a lot about this and it is vulnerable to XSS attacks. I also read that a better solution is to use httpOnly Cookies. 

Does firebase use something behind the scene to prevent this XSS attack ? 

Thanks in advance !

[Anthony Li]

Following, as I have the exact same question! Firebase is creating a JWT that has all of the user/token information and I can't find anything on the Firebase documentation that lets you alter what is in that JWT.

Based on what I've read, the only thing that should really be exposed in the JWT is the access token and potentially email? 

Thanks!

Anthony