I've added the HttpOnly attribute to session cookies in order to raise the barrier to XSS cookie theft. It seems like a zero-cost win so I though I'd share.
It's still a draft spec but already has significant browser support. Not sure of the exact status but the 2008 state is described on coding horror below:
Adding HttpOnly to session cookie in order to raise the barrier to XS…
…S cookie theft
Merged pull request #12 from richmarr/master.
Added protection against XSS cookie-theft attacks