From what I understand, HttpOnly cookies cannot be read by client js but they are passed by the browser with any subsequent requests. If an attacker is able to
internal-storage
umongo
radius
directx-9
blackberry-dynamics
express-gateway
authorized-keys
abortcontroller
epoxy
go-interface
mathematical-typesetting
java-platform-module-system
spring-cloud-connectors
libcmtd
tspan
bartender
wordpress-gutenberg
xslt-2.0
sorted
garbage
google-secret-manager
nstabviewcontroller
javabeans
pgm
oracle-ebs
nedb
supportfragmentmanager
uicolorpickerviewcontroller
node-pg-migrate
snakeviz
