From what I understand, HttpOnly cookies cannot be read by client js but they are passed by the browser with any subsequent requests. If an attacker is able to
openxls
iterative-deepening
plsql
brython
ocaml-lwt
zenodo
onos
technical-indicator
json5
destroy
custom-fields
iverilog
openvx
arcgis-online
ceres-solver
hamming-numbers
asp.net-mvc-4
bundle-install
wp-nav-menu-item
clickhouse-client
urlconnection
google-maps-android-api-1
safetynet
caddyfile
oracle-bpm-suite
spring-webflux
xmlsec
oceanbase
requirejs
api
