What I’m really interested in, is in situations where an API uses the Authorization header, is it possible for auth to flow accross tabs or page re-loads, but keep the credentials secure?
The issue with local-storage is that it is vulnerable to XSS attacks. A succesfull attack could lead to auth tokens being taken from local-storage. Also the browser keeps local-storage on disk, and malware running on a machine could also result in access tokens being stolen.
Elm is less susceptable to XSS attacks, but not 100% fool proof. People have given examples of being able to embed scripts in Elm programs, and also an Elm based site may well pull in other javascript libraries which could potentially be compromised.
At the same time, users want a nice experience and would find it annoying to have to log-in a second time, if they accidentally refreshed the page, for example.