A patch for [Bug 178993] MSIE-extension: HttpOnly cookie attribute for cross-site scripting vulnerability prevention has just been committed to mozilla’s CVS. It is not yet approved for inclusion in 1.8-branch, but trunk will have it since now.

This will help to solve some of XSS-vulnerabilities related problems

update: the patch was removed from tree, for now, but looks like it will be back soon, after passing several bureaucratic procedures