How can playcanvas editor forbidden XSS?

var Follow = pc.createScript(‘follow’);
alert(document.cookie);

your token is pc_auth, it’s HttpOnly, that tell the browser not to display the cookie through client-side scripts (document.cookie and others).