Different Browsers enable different security measures when the HTTPOnlyflag is set. For instance Opera and Safari do not prevent javascript from writing to the cookie. However, reading is always forbidden on the latest version of all major browsers.

设置HTTPOnly标志时，不同的浏览器启用不同的安全措施。例如 Opera 和 Safari 不会阻止 javascript 写入 cookie。但是，在所有主要浏览器的最新版本上始终禁止阅读。

But more importantly whydo you want to read an HTTPOnlycookie? If you are a developer, just disable the flag and make sure you test your code for xss. I recommend that you avoid disabling this flag if at all possible. The HTTPOnlyflag and "secure flag" (which forces the cookie to be sent over https) should always be set.

但更重要的是，您为什么要读取HTTPOnlycookie？如果您是开发人员，只需禁用该标志并确保您针对 xss 测试您的代码。我建议您尽可能避免禁用此标志。该HTTPOnly标志和“安全标志”（这迫使cookie被发送通过HTTPS）应始终设置。

If you are an attacker, then you want to hiHyman a session. But there is an easy way to hiHyman a session despite the HTTPOnlyflag. You can still ride on the session without knowing the session id. The MySpace Samy wormdid just that. It used an XHRto read a CSRFtoken and then perform an authorized task. Therefore, the attacker could do almost anything that the logged user could do.

如果您是攻击者，那么您想劫持会话。但是有一种简单的方法可以劫持会话，尽管有HTTPOnly标志。您仍然可以在不知道会话 ID 的情况下参加会话。MySpace Samy 蠕虫就是这样做的。它使用XHR读取CSRF令牌，然后执行授权任务。因此，攻击者几乎可以做登录用户可以做的任何事情。

People have too much faith in the HTTPOnlyflag, XSScan still be exploitable. You should setup barriers around sensitive features. Such as the change password filed should require the current password. An admin's ability to create a new account should require a captcha, which is a CSRF prevention techniquethat cannot be easily bypassed with an XHR.

人们过于相信HTTPOnlyflag，XSS仍然可以被利用。您应该在敏感功能周围设置障碍。如更改密码提交时应要求提供当前密码。管理员创建新帐户的能力应该需要验证码，这是一种CSRF 预防技术，无法通过XHR轻松绕过。

The whole point of HttpOnly cookies is that they can't be accessed by JavaScript.

HttpOnly cookie 的全部意义在于它们不能被 JavaScript 访问。

The only way (except for exploiting browser bugs) for your script to read them is to have a cooperating script on the server that will read the cookie value and echo it back as part of the response content. But if you can and would do that, why use HttpOnly cookies in the first place?

您的脚本读取它们的唯一方法（除了利用浏览器错误）是在服务器上有一个协作脚本，它将读取 cookie 值并将其作为响应内容的一部分回显。但是，如果您可以并且愿意这样做，那么首先为什么要使用 HttpOnly cookie？

One of the ways is to use safari web inspector, and in storage tab you can see all cookies, httpOnly or not, and just select the cookie Command+C, to copy it.

其中一种方法是使用 safari web 检查器，在存储选项卡中您可以看到所有 cookie，无论是否为 httpOnly，只需选择 cookie Command+C 进行复制。

Once you have the string you can easily parse it back with any cookie parser or plain javascript.

获得字符串后，您可以使用任何 cookie 解析器或纯 javascript 轻松解析它。