I have personal knowledge that it was possible in 2007. I don't keep abreast of developments in browser security that make them more secure: unlike, say, Thomas and the geniuses at Matasano, all I need to know is the worst possible consequence of whatever our wonderful outsourcing partners dreamed up this time. XSS was one step below server-side code execution on our severity scale.
[Edit: This was apparently fixed in 2009 in Firefox. http://www.mozilla.org/security/announce/2009/mfsa2009-05.ht... Again, that is just one vector -- I still think HttpOnly is likely insufficient.]