Yes indeed. XOR can make a fine one time pad if you can share the key securely. There are ways to do this. I'll give some hints and leave the rest to the student as an exercise.
First think about what a one time pad is. You start out with a source file, which can be anything (including a cyphertext). You then need a keyfile at least as large as the source file. It must be entirely random (or in our imperfect world, as random as possible). Each byte of the source file is XOR'd by a byte from the padfile. So, a six million byte source file requires a six million byte key. Attacks against this method include attacking the key generator or exploiting anomolies when same pad is repeatedly used.
I am told that some US security agencies generate keying material by shifting a gps stream in a particular way. This is rumoured to be the method used to encrypt the US/Moscow hotline. Both sides sync up and read the gps stream; then do something special to it. Ensuring that "something special" is unpredictable and produces a unique random stream every time is the trick.
So think about how you can do the same thing using something other than the gps data. There must be something that both sides have access to (the more random the better). Then you transform it (into a temporary keystream) in a way that isn't known to the bad guys, ensuring that it becomes "more random" than it was when it started. Then you XOR. Afterward you destroy the pad. Simple.
So put some creativity into developing ways to do this. You need a reference signal of some sort, the more random the better, and a way to sync it so both parties can access it identically. Then you have a preshared means to transform the reference signal. Then you XOR. Then you destroy all traces.