The reason why the demo works only for Mozilla is because copying cookies to emulate an attacker is simplest on Mozilla. On chrome and other browsers, you can’t see the refresh token cookie unless you load the refresh token path in the URL. Which for demo purposes is difficult to communicate. There is no inherent limitation and the solution works the same on all browsers.