HttpOnly makes it so XSS can't steal your token, but that won't stop XSS from using your token.