Searching for possible ways to get cookie with httpOnly enabled, I cannot find any. But then again, how do browser addons like Firebug, Add ‘N Edit Cookie, etc. can get the cookies? Can’t an attacker do the same?
So my question is, is it really, really impossible to get cookie of httpOnly enabled requests, using javascript?
p/s: Yes I’m aware httpOnly doesn’t stop XSS attacks. I’m also aware it’s futile against sniffers. Let’s just focus on javascript, sort of alert(document.cookie) type / pre httpOnly era.
They are browser extensions, and the browser has access to the cookies ; extensions have a higher level of privileges than you JS code.
Provided you are using a browser (ie, a quite recent browser) that support httpOnly and doesn’t have a security bug about it, it should be impossible — that’s the goal of httpOnly.
Quoting wikipedia :