Thanks for this great article.

We at WSO2, use a token splitting method to prevent XSS and CSRF. When we send the token to the browser, We split it into 2 parts and one is stored in with HTTP-Only directive and the other one without HTTP-Only (JS accessible ) directive. When we make API calls, We read the JS accessible cookie and set it to Authorization header, And from a proxy layer (actually an Apache CXF interceptor) we merge the token parts coming in a cookie and the Authorization header.