I simply don't know what is your experience with this, and on what you are basing your answers. Are you aware of, for example,
http://seckb.yehg.net/2012/06/xss-gaining-access-to-httponly-cookie.html ? This is the return of five seconds googling, I hope you are aware of people that simply don't share their findings in this area. Storing passwords in plain text anywhere is simply a bad idea, supposedly safe cookies in 2013 do not make them a better idea. You can just ignore the situation, of course.
Had you read your own damn link you'd realize:
a) This is a JAVA/SILVERLIGHT/INSERTSTUPIDSHITHERE EXPLOIT
b) It still doesn't break the domain sandbox, which means that the attacker would have to XSS it into my website somehow. I filter/sanitize all user-supplied input.
Class dismissed.