Security noob follow-up: How do you exploit the fact that your javascript can launch requests bearing those cookies? I'm assuming your end goal is to get access to those cookies. Do you do something like POST the contents of the original HTTP request headers that follow your injected \r\n (including said cookies) to a malicious server?
The goal could be CSRF instead of actually reading the cookies. If there's a SessionID cookie for example, you can use JS to GET/POST the request to the server without needing to know the value of SessioID because the browser will send it as part of the request anyway.
The HTTP Response Splitting vulnerability can have many implications, XSS and CSRF attacks are just some examples.
HttpOnly isn't evil, but it's not a solution to the problem.