On Fri, Jun 12, 2015 at 03:43:11PM -0400, Jonathan Billings wrote:
Its technically true, however, XSS attacks can get around that restriction, which is why you saw so much malware posted on a site like googleusercontent.com. Sites that allow users to upload content are always being used to host malware for XSS attacks. But you still need to be visiting a site with the same domain as the cookie, and load a compromised page. Plus, if you use HttpOnly cookies, you have to go through even more complex XSS exploits to get at the cookie, since they aren't accessible through the DOM model.
I should add that the exploits are constantly being addressed by both Web Browser developers as well as developers of extensions like NoScript. Its an arms race.