Does the DST cookie use the HttpOnly attribute to prevent XSS attacks?

Does the DST cookie use the HttpOnly attribute to prevent XSS attacks?

No.

The purpose of the HttpOnly attribute is to restrict the reading of the cookie by JavaScript code that is running in the browser. This is a good security measure for scenarios where the cookie is created and read only by server-side code. But that's not the case with DST. Our browser-based JavaScript both reads and writes to that cookie, so adding the HttpOnly attribute to it would completely break our script and it would not be able to track user activity. For more information about HttpOnly, see this page.

The value of the DST cookie is not stored in plain text. Our script encodes it. If any other script were to attempt to read the data there, it wouldn't be able to make any sense of it unless it knew how it was encoded and how to decode it. Additionally, the only data being stored there is a unique identifier, which is a string of random characters that is meaningless except to our backend code and database on AWS. Even if another script were able to access it, there's nothing that could be done with it to harm your site or our script.