Cookieless domains and XSS issues?

Our site is getting dinged pretty hard on “cookieless” domains. For example:

Home page is
We use the following CDN domains: (javascripts) (css) (images, media, graphics, etc) (static images associated with our customers) (video files served up for our pages)

All of the CDN domains are Akamai, with a dedicated server in our data center for origin, except for the images and video domains, which have Akamai NetStorage as origin.

We set a cookie on (not, so obviously all of our CDN domains are “cookied”. We have to set this cookie domain-wide, since we have multiple hostnames under (such as, which are used for our A/B testing, etc, etc.

We are looking to move to a “cookieless” domain for the stuff that doesn’t require a cookie. Obviously we can get quick wins by setting up,, etc.

The one I am concerned about is the - will we run into any XSS issues? Or will this only occur if the javascripts require access to the cookies?

There should not be any cross-domain issues in moving the js to another domain.

AFAIK for cross-domain stuff, the browser is only concerned about the hostname of the page that the javascript is being run on, but not the hostname of the actual javascript files… – not entirely sure