Do you have any sources to back this up?

Session storage is not secure and is vulnerable to cross-site scripting attacks.

I would argue, that you would have a similar issue with a cookie, using a CSRF attack...

I remember reading an article not long ago that I'll quickly summarise below, whereby, I could be swayed to agree with this request as a potential future enhancement given reasons. However, if the APP needs to read/use that JWT, and it's all in Javascript anyway, I'm not too sure on any benefits either, would love to know more...

Summary:
JWT's should be stored in cookies because of the additional security they provide, and the simplicity of protecting against CSRF with modern web frameworks. HTML5 Web Storage is vulnerable to XSS, has a larger attack surface area, and can impact all application users on a successful attack.

Source: https://stormpath.com/blog/where-to-store-your-jwts-cookies-vs-html5-web-storage

JWT's should be stored in cookies because of the additional security they provide

This is the key point though. Cookies are only more secure if they have the httpOnly option, which prohibits JavaScript execution from accessing it. However, this isn't a viable option for Directus as the JWT is being send through the Authorization header in requests. Besides, it needs to be send in the post body when refreshing tokens.

Once you allow JavaScript to access Cookies to enable this functionality, I believe we end up in the exact same situation 🤷‍♂

Nothing has been heard back on this, I'm thinking a wontfix is valid here @rijkvanzanten, as there doesn't seem to be any actual benefit to switching...