Make the XSRF-TOKEN cookie secure flag configurable in CookieServerCsrfTokenRepository. Closes gh-9678