I wouldn't trust that, since there are many paths to the cheese besides document.cookie. For example, Firefox (IIRC) will let Javascript inspect all headers from an Ajax request. The cookie is just another string there...
Is that actually possible, or are you just pondering that it might be? If Firefox lets you access the raw HTTP Cookie header of a http-only cookie via AJAX, I would consider that a security bug, and report it...
I may take out 10 minutes to have a play with that later if nobody else checks first...
I have personal knowledge that it was possible in 2007. I don't keep abreast of developments in browser security that make them more secure: unlike, say, Thomas and the geniuses at Matasano, all I need to know is the worst possible consequence of whatever our wonderful outsourcing partners dreamed up this time. XSS was one step below server-side code execution on our severity scale.
The big security hole, as alluded to above, is that Firefox (and presumably Opera) allow access to the headers through XMLHttpObject. So you could make a trivial JavaScript call back to the local server, get the headers out of the string, and then post that back to an external domain. Not as easy as document.cookie, but hardly a feat of software engineering.
Totally academic debate. HttpOnly is a band-aid; being able to inject Javascript still lets me do almost anything that I'd ever want to do with that cookie in the future.
