I’ll preface this with the acknowledgement that httponly is misunderstood by many, but it won’t change anything:
HttpOnly only prevents session theft as you cannot read the cookie, but you can still use it. you can still perform actions by sending AJAX requests with cookies attached.
In a subdomain takeover you receive cookies on all requests, you can view these irrespective of httponly unless you are limited to controlling html and js of the subdomain (which I think is true of GitHub static sites).
HttpOnly is largely a failed mitigation, modern SPAs require access to JWT tokens which compounds that; the solution is to focus on appropriate scoping (to prevent subdomain hijacks having such implications) and preventing XSS.
HttpOnly only prevents session theft as you cannot read the cookie, but you can still use it. you can still perform actions by sending AJAX requests with cookies attached.
In a subdomain takeover you receive cookies on all requests, you can view these irrespective of httponly unless you are limited to controlling html and js of the subdomain (which I think is true of GitHub static sites).
HttpOnly is largely a failed mitigation, modern SPAs require access to JWT tokens which compounds that; the solution is to focus on appropriate scoping (to prevent subdomain hijacks having such implications) and preventing XSS.