From what I understand, HttpOnly cookies cannot be read by client js but they are passed by the browser with any subsequent requests. If an attacker is able to
tediousjs
clearance
workitem
server-to-server
ibm-jazz
django-admin-tools
pins
unresolved-external
lustre
gmplot
concatenative-language
chromecast
clarity-lang
uniwebview
tye
angular-material-datetimepicker
downshift
makeappx
converse.js
apache-kafka
openwisp
nstimezone
fixed-header-tables
orphan
html4
cassandra-3.0
azure-purview
tabs
constraint-programming
less-unix
