I just read that article: it was super interesting.
The author there found that many people recommend using cookies over web storage -- that's actually the exact opposite of the advice I've seen. This was written a few years ago, however.
Anyhow: I disagree with the author. I think what he's missing out on in his analysis is how common/easy/widespread XSS actually is.
XSS is far harder to defend against than CSRF. Because of this the surface area of what you have to protect against is much greater and usually out of the control of an individual developer on a project. I'm actually doing a more thorough writeup of this currently which I plan to publish sometime tomorrow.
