When using the double submit cookie pattern, http only should always be true for the cookie. Disabling this is not a good idea. It could be argued that if you're vulnerable to XSS, then CSRF doesn't matter, but there is no justification for negligence.
When using the double submit cookie pattern, http only should always be true for the cookie. Disabling this is not a good idea. It could be argued that if you're vulnerable to XSS, then CSRF doesn't matter, but there is no justification for negligence.