Cookies are sent only to the origin that set them and (except XSS attacks) are not revealed to anyone else. So who exactly is stealing them?
If you want web-applications to be powerful, and open, you also need to be able to have any web application to access any URL.
Why should only mail.google.com be able to access my emails, and not also my-little-opensource-webmail.com ?
To faciliate that, without also adding cookie stealing back in, you need to allow any website to open standard TCP sockets.
Cookies are sent only to the origin that set them and (except XSS attacks) are not revealed to anyone else. So who exactly is stealing them?