@b0rkJulia Evans e.g. if the way your SPA works is by getting a JWT directly and adding it to fetch calls, the attacker's code in another tab doesn't have any way to get that token since it's not in the browser's cookie store to begin with.
If you have a fediverse account, you can quote this note from your own instance. Search https://code4lib.social/users/acdha/statuses/116019916384877318 on your instance and quote it. (Note that quoting is not supported in Mastodon.)