1) The underlying network library used for Safari - the Qt C++ library - particularly the QNetworkCookie class - has finished adding HttpOnly support! See http://trolltech.com/developer/task-tracker/index_html?id=206125&method=entry for more information on the specific bug. My undercover Safari developer resource tells me that Safari is soon to follow with full HttpOnly support in both the Windows and OSX versions!
2) The latest version of the Servlet 3.0 specification (JSR 315) has added HttpOnly support to both the Cookie and SessionCookieConfig classes. You can download the JavaDoc here. Thank you to Rajiv Mordani @ Sun!
HttpOnly is not a cure-all. It's simply one defense-In-depth measure to assist in preventing XSS session hijacking attacks. HttpOnly can also be circumvented via triggering an AJAX request via the XMLHttpRequest object and reading cookie data out of the headers. Fellow HTTPOnly crusader, Eric Bing from Oracle, is also leading the charge communicating with the w3c regarding future specifications to prevent the XMLHTTPRequest JavaScript object from accessing HttpOnly cookies! Exciting!
In other HttpOnly news:
WebLogic is testing a HttpOnly flag and is currently reviewing the patch "for feasibility".
There is a FireFox bug already addressing the circumvention of HttpOnly via XMLHttpRequest headers as described above. Please consider adding you vote to help encourage the team to lock down this HttpOnly circumvention vector: https://bugzilla.mozilla.org/votes.cgi?action=show_user&bug_id=380418#vote_380418
And the Crusade Continues......
