Comment 3 for bug 1369876

reading more carefully, I see our docs don't mention CSRF_COOKIE_HTTPONLY so they aren't wrong. (They reference CSRF_COOKIE_SECURE) But also this suggests that no investigation has been done on potential side-effects.