An HttpOnlycookie means that it's notavailable to scripting languages like JavaScript. So in JavaScript, there's absolutely no API available to get/set the HttpOnlyattribute of the cookie, as that would otherwise defeat the meaning of HttpOnly.

一个HttpOnlycookie的手段，它是不提供给脚本语言如JavaScript。所以在 JavaScript 中，绝对没有 API 可用于获取/设置HttpOnlycookie的属性，否则会破坏HttpOnly.

Just set it as such on the server side using whatever server side language the server side is using. If JavaScript is absolutely necessary for this, you could consider to just let it send some (ajax) request with e.g. some specific request parameter which triggers the server side language to create an HttpOnly cookie. But, that would still make it easy for hackers to change the HttpOnlyby just XSS and still have access to the cookie via JS and thus make the HttpOnlyon your cookie completely useless.

只需使用服务器端使用的任何服务器端语言在服务器端设置它。如果 JavaScript 是绝对必要的，你可以考虑让它发送一些（ajax）请求，例如一些特定的请求参数，触发服务器端语言创建一个 HttpOnly cookie。但是，这仍然会让黑客很容易HttpOnly通过 XSS来改变它，并且仍然可以通过 JS 访问 cookie，从而使HttpOnly你的 cookie 完全无用。