Everything is _not_ static: there's a data channel.
If you need to support browsers that do not support localStorage, indexedDB or another kind of local, private storage, you must either restrict authentication to a single tab or provide a token on page load, and not later (one token per page load).
This is less of a concern now, but it used to be the case.
You can use CORS and withCredentials to use simple cookie-based browser sessions for authentication. It's still hard against CSRF because as long as you properly origin-check the request you don't have to worry about form forgery.
If you need to support browsers that do not support localStorage, indexedDB or another kind of local, private storage, you must either restrict authentication to a single tab or provide a token on page load, and not later (one token per page load).
This is less of a concern now, but it used to be the case.