Question:What are CsrfToken and CtxsPluginAssistantState cookies

Answer:The RfWeb JavaScript code has to access both of these cookies. That is why they are not marked as HttpOnly. It would break RfWeb functionality if you do so.
 
CsrfToken is used by the server to send the CsrfToken value to the client-side JavaScript code so that it can send back the value in the subsequent request header or query string to protect the site from CSRF (cross site request forgery).
 
CtxsPluginAssistantState is used by the RfWeb JavaScript code to remember to status of client detection state. It is purely a client-side state and They are generated by StoreFront.