From what I understand, HttpOnly cookies cannot be read by client js but they are passed by the browser with any subsequent requests.
If an attacker is able to inject js in to a web page and makes a request to the endpoint, it would still go through because all cookies are passed along, correct?
What's the point of HttpOnly cookies?