HttpOnly cookie is still in IETF draft<ref name="httponlyrfc">IETF [http://tools.ietf.org/html/draft-ietf-httpstate-cookie-2021 Internet Draft: HTTP State Management Mechanism - DecJan 1920, 20102011] Obsoletes RFC 2965 (if approved). </ref>, though most of the modern browsers support it. On a supported browser, a HttpOnly cookie will only be used when transmitting HTTP (or HTTPS) requests, but the cookie value is not available to client side script, hence mitigate the threat of cookie theft via [[Cross-site scripting]].
