[#4571] only apply set-cookie for csrf protection when serving html pages
Only HTML content needs this cookie, since it's used via JS on web forms to
prevent CSRF. Removing it from all other content (e.g. icons, attachments)
makes those response more cacheable.
