The Cookie::fromString() method sets 'httponly' => true in line 49 by default.

$cookie = Cookie::fromString('foo=bar'); // foo=bar; path=/; httponly

However, I would expect the flag to be added only if explicitly given:

$cookie = Cookie::fromString('foo=bar'); // foo=bar; path=/
$cookie = Cookie::fromString('foo=bar; httponly'); // foo=bar; path=/; httponly

Otherwise there is no way to have a cookie without the HttpOnly flag, is there?