comments (not for humans)
The new version of Firefox supports HttpOnly cookies. Unfortunately though, as Rsnake has written about here, the implementation has a vulnerability. Call getAllResponseHeaders() on an XMLHttpRequest object reveals the cookie.[...]
Just read Gnucitizen's article about exploiting firebug using javascript. This technique has been dubbed Cross-zone scripting, and is somewhat similar to XSS. Scary stuff.[...]