From what I understand, HttpOnly cookies cannot be read by client js but they are passed by the browser with any subsequent requests. If an attacker is able to
create-directory
struts2-jquery-plugin
asianfonts
cmd
episerver-forms
ngen
beam
xacml3
onkeylistener
dynamic-function
suse
scss-functions
richtextbox
vue-transitions
act
onitemclicklistener
wkwebview
weak-events
photoimage
sentence
implicit-constructor
notorm
rml-rdf
transcrypt
my.cnf
mkfifo
fouc
mesosphere
knitr
system.numerics.vectors