tldr; the secure on breaks the page, due to Angular (in the horizon page) needing access to the CSRF token.
Re-reading the fix, if the "HttpOnly" bit is dropped, but the Secure left in, then the cookie will only be sent over the secure SSL channel, but Angular will still be able to read the cookie (not HttpOnly).
Due to https:/ /review. opendev. org/#/c/ 695918 I've re-opened the bug, as the aforementioned review reverted the 'fix'.
tldr; the secure on breaks the page, due to Angular (in the horizon page) needing access to the CSRF token.
Re-reading the fix, if the "HttpOnly" bit is dropped, but the Secure left in, then the cookie will only be sent over the secure SSL channel, but Angular will still be able to read the cookie (not HttpOnly).