Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites.
__sessioncookie contains the session token and it is dropped by Clerk to your application's root domain (e.g. example.com). It is not HttpOnly (as is the case with the
__clientcookie which lives on the Frontend API domain, e.g. clerk.example.com) because it needs to be accessible by Clerk.js.