4.2.9.1. httponly¶

When the cookie is httponly, you can directly complete the operation on the origin site through xss without directly obtaining the cookie.
In the case of a login operation, some sites may send a login request directly with a cookie
Certain versions of browsers may have issues with httponly support/handling
Older browsers support TRACE / TRACK to get sensitive header fields
Pages such as phpinfo may echo information that includes http headers
phishing via xss hijacking page
Forge authorization requests such as oauth through xss, log in remotely