[HttpFoundation] set httponly to true by default

This is a more secure default and has virtually no impact unless you try to read cookies from javascript.

src/Symfony/Components/HttpFoundation/HeaderBag.php

@@ -171,7 +171,7 @@ class HeaderBag
      *
      * @throws \InvalidArgumentException When the cookie expire parameter is not valid
      */
-    public function setCookie($name, $value, $domain = null, $expires = null, $path = '/', $secure = false, $httponly = false)
+    public function setCookie($name, $value, $domain = null, $expires = null, $path = '/', $secure = false, $httponly = true)
     {
         // from PHP source code
         if (preg_match("/[=,; \t\r\n\013\014]/", $name)) {