Another interesting approach is the one used in ProtonMail, using the SessionVars trick by Thomas Frank.<p>It combines in-memory storage for XSS safety, and a combination of SessionStorage and `window.name` to split the token into secret random parts, each taking its separate channel, to ensure the token survives a page reload.<p>I wrote about the details on how it works [1] and packed a TypeScript implementation on NPM [2].<p>[1] <a href="https://francoisbest.com/posts/2019/how-to-store-e2ee-keys-in-the-browser" rel="nofollow">https://francoisbest.com/posts/2019/how-to-store-e2ee-keys-i...</a><p>[2] <a href="https://github.com/47ng/session-keystore" rel="nofollow">https://github.com/47ng/session-keystore</a>