During a penetration test the following finding was addressed by a security accountant
Session cookie not HTTPOnly: The session cookies 'SPWorkLoadAttribution' and 'ScaleCompatibilityDeviceId' are not as HTTPOnly marked. This means that it can be stolen through Cross Site Scripting (XSS). A attacker who has a valid session cookie can impersonate an authenticated user within the web application. This finding was found on: https://'companyname'.sharepoint.com Sharepoint environment SCAN Recommendation: Mark session cookies as HTTPOnly.
Is it possible for us to set this setting for SharePoint online?