From what I understand, HttpOnly cookies cannot be read by client js but they are passed by the browser with any subsequent requests. If an attacker is able to
google-play-developer-api
ews-javascript-api-auth
mango-markets
lazyvgrid
mpchartios
uvicorn
license-key
list-comparison
auto-import
object-persistence
phonetics
qtablewidget
explicit-specialization
webmock
getstaticprops
discum
php-curl
lazycache
moloquent
posixlt
pyelasticsearch">pyelasticsearch
core-lua
wkt
smartdevicelink
rjava
data-dump
scoverage
bit-representation
expo-splash-screen
xregexp
pyelasticsearch