How does the XSS protection work? In a request to I get a request header

Cookie: snapsession=████████████████████████████████████████████████████████████████████████████████████████████████████████████; persist_session=true

But if I open the console, I get no cookie. I can add other cookies to document.cookie. The x-xss-protection header is not supported by firefox, so it shouldn't do anything.

there are a 2 projects made by different people that have blocks that can set cookies,!&editMode&noRun and

I'm asking about how the snap server prevents the snapsession cookie from going in document.cookie, not how to add my own cookies to document.cookie.

set-cookie: snapsession=...; httponly;

Dan's correct. If you do have that cookie, you can supply it to other requests, but no one should be able to read that cookie via JS.

The blocks in the first project is not by me.

I know that, it's another project that I found that have cookie blocks