This question already has an answer here:
- Does setting httponly prevent stealing a session using XSS? 5 answers
I just tried 2 large websites.
So does that mean, simply setting the authenticated cookie with httpOnly flag, XSS can then be completely prevented?