Acidus wrote:

Adds httpOnly cookie support to Firefox by encrypting cookies marked as httpOnly on the browser side, so that JavaScript cannot read them.

Awesome! Stefan Esser (of the Month of PHP mugs fame) continues to make excellent contributions to the web security space! Great job!

Are they still vulnerable the same way IE is where the browser respects httpOnly but XmlHttpRequest does not when you directly want to edit headers?

RE: httpOnly :: Firefox Add-ons