Information Security

How to implement Double Submit Cookies?

Good afternoon.
After reading several articles about DSC, the following questions appeared:
1. Does it make sense to generate a csrf token for each request from the client, or is it still limited to the lifetime of the authentication cookie for the csrf token, that is, when a user logs in, set a token for him, and not with each request?
2. I don’t quite understand why you need to send the token both in the cookie and in the response , because if the site has XSS, then an attacker can read the token directly from html and the httponly flag will not save here?
3. If the token is updated on each request, and stored in html ( as a hidden form field or in the meta tag), then there are problems with multi-tab, since when two or more tabs are open, requests for the 2nd tab update the cookie in the 1st tab, but do not update the associated token in the html of the 1st tab, so when you try to send something from The 1st tab request will not be legitimate for the server. This begs the question, is it acceptable practice to use the cookie + localStorage token binding for tab synchronization, rather than cookie + html , since the Same Origin Policy does not allow an attacker to access localStorage?
4.If the token is refreshed on each request, what lifetime would be preferable for it?