i know you're not, but it was listed as a possible means of attack. if you're rendering a web-page and have something like

$blogPost

where the user can enter random html, they could enter

<meta http-equiv="Set-Cookie" Content="SID=123456;expires=Saturday,18-Feb-2017 12:00:00 GMT">

, which would be able to alter a http-only cookie