不同的浏览器在设置HTTPOnly 标志时启用不同的安全措施。例如Opera和Safari不会阻止javascript写入cookie。但是，始终禁止在所有主要浏览器的最新版本上阅读。

Different Browsers enable different security measures when the HTTPOnly flag is set. For instance Opera and Safari do not prevent javascript from writing to the cookie. However, reading is always forbidden on the latest version of all major browsers.

但更重要的是，为什么要阅读 HTTPOnly cookie？如果您是开发人员，则只需禁用该标志并确保您测试了针对xss的代码。我建议您尽可能避免禁用此标志。 HTTPOnly 标志和 secure flag （强制将Cookie通过https发送）。

But more importantly why do you want to read an HTTPOnly cookie? If you are a developer, just disable the flag and make sure you test your code for xss. I recommend that you avoid disabling this flag if at all possible. The HTTPOnly flag and "secure flag" (which forces the cookie to be sent over https) should always be set.

如果您是攻击者，那么您想劫持会话。尽管有 HTTPOnly 标志，但是有一种劫持会话的简单方法。您仍然可以在不知道会话ID的情况下参加会话。 MySpace 萨米蠕虫就是这样做的。它使用 XHR 来读取 CSRF 令牌，然后执行授权任务。因此，攻击者几乎可以执行登录用户可以执行的任何操作。

If you are an attacker, then you want to hijack a session. But there is an easy way to hijack a session despite the HTTPOnly flag. You can still ride on the session without knowing the session id. The MySpace Samy worm did just that. It used an XHR to read a CSRF token and then perform an authorized task. Therefore, the attacker could do almost anything that the logged user could do.

人们对 HTTPOnly 标志 XSS 。您应该围绕敏感功能设置障碍。例如更改密码字段应要求使用当前密码。管理员具有创建新帐户的能力，需要验证码，该验证码是 CSRF XHR 不能轻易绕过的预防技术。

People have too much faith in the HTTPOnly flag, XSS can still be exploitable. You should setup barriers around sensitive features. Such as the change password filed should require the current password. An admin's ability to create a new account should require a captcha, which is a CSRF prevention technique that cannot be easily bypassed with an XHR.