When I type in javascript:alert(document.cookie) in the URL bar, I only get to see some cookies which facebook has set for my account.
I think this is because the other cookies are http only.
First question: Is this true? Are some Facebook cookies http only, and is that why I am not able to access them through javascript. When I view the cookies, in Web Developer Firefox Add on, I can see so many more cookies. For example: the "xs" cookie is not visible through javascript and only seen through the web developer add on.
Second question: How do I access all cookies through javascript, if The Add-On can do it(access all the cookie), why can't javascript do it?
Thirdly, if I can't use javascript to access all cookies, how I should I access them?
Different browsers will treat the httponly flag in different ways. It should be very clear that the httponly flag does not prevent XSS attacks. Using javascript you can still "ride" on the victim's session. The MySpace Sammy worm is a good example of this. So you shouldn't need the cookie value, even if you are an attacker.
Firefox add-ons are not subject to the same security limitations as javascript running from the address bar or loaded on the page. For instance the same origin policy doesn't really apply, because it doesn't have an origin. It is useful and secure enough for add-ons to bypass these rules.