Mozilla has quietly fitted a new security feature into the latest Firefox update, adding the ability for the browser to prevent cross-site scripting attacks.
Web application security experts are welcoming the move, which had been in the works for a few years.
Robert 'RSnake' Hansen, however, is noting that the new browser remains vulnerable to credential leakage via XMLHTTPRequest.
The only problem I see with using this as protection against credential theft is that the cookies are still visible using XMLHTTPRequest. If you look at [this example], it looks secure because the cookie is not visible. But if you look at this example you can see that using XMLHTTPRequest you can still get access to the cookie by looking at the headers. This has been one of those long standing problems with httpOnly, but it does raise the barrier by shutting down the most obvious way of getting at the cookies, using document.cookie.