[keycloak-user] Why is the KEYCLOAK_LOCALE cookie httponly? And is there a way to get the locale on first call of page?

Hi everyone, so I tried to theme the loginpage here, which worked out pretty well at first, but when internationalization was a thing (I had to change the provided internationalization to a selectbox) I tried to get the KEYCLOAK_LOCALE cookie at page load to set the selected option by this cookie. sadly, document.cookie doesn't have the KEYCLOAK_LOCALE cookie inside, because it seems to be set to httponly=true which doesn't make it accessible via js. So, this was a problem because when you first(!) call the loginpage, there is no queryparam kc_locale=... set and I had to figure out which language is used and thus how to set the dropdowns selected option accordingly. My custom dropdown code just looks like this: <#if realm.internationalizationEnabled> <select name="languages" id="locale_dropdown"> <#list locale.supported as l> <option value="${l.url}"><a href="${l.url}"><${l.label}></a></option> </#list> </select> </#if> now when changing the login to english, not logging in, on next call of a protected page and redirect to the loginpage, I can't check in js which locale is set, for no querystring is set and the cookie is not accessible. So, 3 concrete questions: a) why is it httponly? xss attack prevention? b) Would it be possible to always get the locale in the querystring of login/pw form redirect? c) alternatively, is it possible to get the current locale in jsf by accessing locale.? Thanks in advance! Best regards, Dominik