How does the HttpOnly flag help?
For which cookies should I set the HttpOnly flag?
Does the HttpOnly flag provide 100% protection to the cookie?
No, HttpOnly cannot protect you from all client-side script attacks. There is a possibility of an attacker being able to leverage XSS with CSRF payload which can bypass HttpOnly to steal user cookies. An example can be found here.