Why CSRF token cookies don't need to be httpOnly

in blog	Josh Karamuth
original entry	Why CSRF token cookies don't need to be httpOnly

CSRF token cookies are typically sent without httpOnly set to true. But is that a secure practice?