For more information on Java security model, sandbox applet and signed applets, and privileged block API. Below are some documentation link that explain these:
Code is granted permissions:
b) if code is trusted (signed) and explicitly calls doPrivileged to elevate permissions
For us, the right fix is to also grant SecureCookiePermission in the JSProtectionDomain, and allow it to access cookie if JS/applet is originated from the same HTTPS host.
For the customer, they can workaround it right now by adding doPrivileged block to the entry point of the js->java call. This will elevate the Java code to be run with all-permissions - since their code is signed and trusted.