The csrfToken cookie should be accessible by the javascript, here the flag httpOnly is enabled where it shouldn’t.
Did you change the default configuration of the cookies in you config/app.php or config/passbolt.php files. Or do you enforce this at another level?