I searched about it on the internet but didn't find anything. As we know http-only cookie immune to xss attack, but my concern is what if someone copy it from client pc?
The whole point of HttpOnly cookies is that they can't be accessed by JavaScript.
Reading http-only cookie is always forbidden on the latest version of all major browsers.
But more importantly why do you want to read an HTTPOnly cookie if you are not an attacker?
And someone can not copy HttpOnly cookies. Its purpose is being inaccessible by script.