In the blog about cookies vs localstorage and security would it not make more sense to have the refresh token in httponly cookie and just have the access token in memory? In a csrf attack only the refresh token would be sent so no malicious action could be taken. In a XSS attack there is nothing in localstorage to get and the cookie is inaccessabile