[hklutryhgg]

> If some site has an XSS vulnerability, then they've already got access to my session cookies

Not true if the website uses HttpOnly session cookies as they should.

[tmsbrg]

They don't need your session cookie either. An attacker can just use XmlHttpRequest to perform any actions as you on the website, and read the web page results. E.g. go to your profile and steal all your personal data.

They can also set up a keylogger or fake login screen and wait for you to type or paste in your password yourself.

I've always thought HttpOnly cookie flag is overrated. Stealing the session cookie may be the easiest attack but it's hardly the only.

[hklutryhgg]

I'm pretty sure you can defend against this with javascript script hashes and restrictive CSR's, but yeah, they are quite involved to setup.