"Some of the most recent iterations of the XHR specifications at w3c
have made some excellent security choices that will lock down the
JavaScript HTTPOnly edge-case exposure vectors.
The latest editorial draft of the XHR w3c spec http://dev.w3.org/2006/webapi/XMLHttpRequest/
•
prevents creating set-cookie/2 headers via setRequestHeader() in a case
insensitive way. (but XHR is free to send Cookie/2 headers for any
existing cookie (HTTPOnly or otherwise).
• prevents reading set-cookie/2 headers via getAllResponseHeaders() and getResponseHeader() in a case insensitive way."
Read more: http://manicode.blogspot.com/2008/12/xmlhttprequest-will-be-more-secure-in.html
