FireFox 220.127.116.11 is truly an HTTPOnly champion!
I want to extend sincere congratulations the the entire Mozilla team. For the first time in history, a browser has been released that completely supports the HTTPOnly cookie flag, including protection against leakage of HTTPOnly cookies via XHR response headers.
IE 7/8 is very close to complete HTTPOnly support. When we test IE 7.0.5730.13 against http://ha.ckers.org/httponly.cgi - the result is set-cookie2 leakage. At least set-cookie is not leaked. (Note that even though IE exposes a set-cookie call below, it was a non-httponly cookie, so the exposure is reasonable.)
But look at the test results of FireFox 18.104.22.168 - ALL SET COOKIE(2) CALLS ARE REMOVED! Even non HTTPOnly cookies are now removed from the XHR request headers!
Sincere congratulations the the entire Mozilla team. I applaud your dedication to web application security excellence!