Preserve HttpOnly flag when deleting session cookie

fixes #4485

CHANGES.rst

@@ -45,6 +45,8 @@ Unreleased
 -   When using lazy loading (the default with the debugger), the Click
     context from the ``flask run`` command remains available in the
     loader thread. :issue:`4460`
+-   Deleting the session cookie uses the ``httponly`` flag.
+    :issue:`4485`
 
 
 Version 2.0.3

src/flask/sessions.py

@@ -383,13 +383,19 @@ class SecureCookieSessionInterface(SessionInterface):
         path = self.get_cookie_path(app)
         secure = self.get_cookie_secure(app)
         samesite = self.get_cookie_samesite(app)
+        httponly = self.get_cookie_httponly(app)
 
         # If the session is modified to be empty, remove the cookie.
         # If the session is empty, return without setting the cookie.
         if not session:
             if session.modified:
                 response.delete_cookie(
-                    name, domain=domain, path=path, secure=secure, samesite=samesite
+                    name,
+                    domain=domain,
+                    path=path,
+                    secure=secure,
+                    samesite=samesite,
+                    httponly=httponly,
                 )
 
             return
@@ -401,7 +407,6 @@ class SecureCookieSessionInterface(SessionInterface):
         if not self.should_set_cookie(app, session):
             return
 
-        httponly = self.get_cookie_httponly(app)
         expires = self.get_expiration_time(app, session)
         val = self.get_signing_serializer(app).dumps(dict(session))  # type: ignore
         response.set_cookie(