I was reading the OAuth 2.0 for Browser-Based Apps draft, and went into the mailing list discussions. In the emails there's this bit of text:
Stating that using stolen tokens is the same as sending requests through a compromised client in the user’s browser (client hijacking) is categorically false. Here are two concrete differences:
Stolen refresh tokens give an attacker long-term access in the name of the user. Client hijacking only works as long as the user’s browser is online and the client is effectively running. Stolen access tokens give an attacker unfettered access to any resource server that accepts it. Client hijacking forces the attacker to play by the rules of the client. For example, an attacker can abuse a stolen token with fake origin headers to access a resource server that would accept the token, but has a CORS policy that rejects requests from the client’s origin
Why does client hijacking not work without an online browser with the client running? As far as I understand from client hijacking, it means an attacker is able to steal the session on the browser from a victim. Couldn't they use this session somewhere else to act maliciously?