one thing is for sure now: only the httponly cookie flag could save one from harm, ie. from xss cookie theft using javascript's document.cookie property.

even a "secure" cookie sent via https can be forwarded to and be read as plain text by another server with this simple method, no matter whether an unencrypted or secure exploit channel is used.

so i'll wait and see what happens first: restricted html in antville.org postings or httponly in all popular browsers...