If it weren't already in the same domain you wouldn't be able to read a non-HttpOnly cookie anyway, so that's moot.