Facebook <securecookie> rules break apps

As reported here:

https://mail1.eff.org/pipermail/https-everywhere/2010-November/000475.html

We now need to work out whether there is a subset of cookies that we can secure to prevent account hijacking while still allowing apps to function :(