In bug 380418 [1] we have decided to completely block access to the Set-Cookie header through XHR. This seems like the safest way to prevent httpOnly cookies from leaking in to javascript.
In addition it seems good to block access to the raw network protocol used for security and can contain user credentials.
There is a risk that this will break sites since we are blocking things that used to work. However the number of legitimate uses seems pretty small (I can't think of any) and the win is high (blocking httpOnly cookies reliably as well as possible future cookie expansions)
The way the blocking works is that the getResponseHeader and getAllResponseHeaders functions behave as if Set-Cookie and Set-Cookie2 was not sent by the server.
/ Jonas [1] https://bugzilla.mozilla.org/show_bug.cgi?id=380418
