While we could discuss forever that HttpOnly isn't a complete solution for all
attack instances, that's not what matters. It's like saying, "Well, condoms
don't _always_ work, so let's just not use anything!" HttpOnly does work most
of the time, especially for stopping what our HTML/CSS spermicide doesn't.
-- Brad, https://bugzilla.mozilla.org/show_bug.cgi?id=178993#c49