HttpOnly cookies are exposed when cookies.getAll() is passed

[colinclerk]

The technique used in the demo is dangerous, since HttpOnly cookies will be written to the document body: https://github.com/moshest/next-client-cookies/blob/main/demo/app/layout.tsx#L17

Instead, an explicit allowlist can be used to specify which cookie names get passed to the provider.

[moshest]

I guess we don't need to pass the cookies to the client. We just need a place to store then while rending on the server-side.

[moshest]

Fixed at v1.1.0-alpha.0