Uh, couldn’t someone just filter the response from the server to remove the httpOnly flag? It seems very half-assed to use a feature that is client-side, in SOME browsers. This is a circumstance where it’s important enough to come up with a solution that isn’t just more obfuscated, but that actually has increases the security by an order of magnitude.
Just my opinion.