Finding possible ways to get cookies with httpOnly enabled, I can’t find. But then again, how can browser add-ons like Firebug, Add 'N Edit Cookies, etc., receive cookies? Can't an attacker do the same?
So my question is, is it really impossible to get the cookie of HTTPOnly-allowed requests using javascript?
p / s: Yes, I know that httpOnly does not stop XSS attacks. I also know that it is useless against sniffers. Let me just focus on javascript, a warning view (document.cookie) type / pre httpOnly era.
source
share