I was reading #
The phrase in question is:
Create secure cookies that only work via HTTPS and are not accessed by JavaScript;
My question comes up in this part, what are cookies that "are not accessed by javascript"?
From my experience I have never had any problem with client-side operations involving cookies because of this or similar reason.
Obviously speaking in the context http + browser (http + browser).
Since these cookies are in our browser what prevents us from obtaining them? Is there a cookie / session that is not contemplated in document.cookie
? Or even just seeing the request headers (they always have to be present right here?)?
I also hypothesize that the author was wrong and does not want to say it well.