Issue 1638033: Add httponly to Cookie module (original) (raw)

Created on 2007-01-17 20:07 by arvins, last changed 2022-04-11 14:56 by admin. This issue is now closed.

Files
File name Uploaded Description Edit
python.diff arvins,2007-01-19 17:01 Patch for svn trunk.
HttpOnlyCookies.diff glyphobet,2008-09-05 19:28 revised patch against svn trunk using reST for the docs
Messages (15)
msg51757 - (view) Author: Arvin Schnell (arvins) Date: 2007-01-17 20:07
Add the Microsoft extension httponly to the Cookie module.
msg51758 - (view) Author: Jim Jewett (jimjjewett) Date: 2007-01-19 15:06
The documentation change should say what the attribute does. (It requests the the cookie be hidden from javascript, and available only to http requests.)
msg51759 - (view) Author: Arvin Schnell (arvins) Date: 2007-01-19 17:01
Sure, I have added some documentation to the patch. File Added: python.diff
msg51760 - (view) Author: John J Lee (jjlee) Date: 2007-01-30 00:52
This is backwards-incompatible, no? The behaviour of Morsel.set() changes (disallowing key="httponly") hence the behaviour of BaseCookie.__setitem__ changes. Do you have a use case?
msg51761 - (view) Author: Arvin Schnell (arvins) Date: 2007-01-30 18:45
Anybody who sets a cookie with key="httponly" is likely in trouble. I don't know and can't check how the IE behaves in that case. But disallowing this use shouldn't hurt. Use case: I would like to use the httponly attribute in Django. I think it's also useful for other web-frameworks.
msg51762 - (view) Author: John J Lee (jjlee) Date: 2007-01-31 23:17
I see. That sounds reasonable, but I won't comment on whether it should be applied since this part of module Cookie didn't really make sense to me in the first place (I explain why in my comment of 2006-12-03 16:49 in http://python.org/sf/1372650).
msg51763 - (view) Author: Arvin Schnell (arvins) Date: 2007-03-24 19:13
Maybe you are right about the cookie module. I'm not so much into that. But I just read that Firefox 3.0 Alpha 3 finally has support for the httponly attribute (see http://www.mozilla.org/projects/firefox/3.0a3/releasenotes/) so I think it's time that Python will also have the support.
msg51764 - (view) Author: Moese (moese) Date: 2007-08-05 19:42
Any word on this? I've tested the patch and it works. I'd like to use this in a Pylons application.
msg72368 - (view) Author: Matt Chisholm (glyphobet) Date: 2008-09-02 22:45
Any progress on this? This patch is extremely straightforward (only three lines of code), and should not break existing code. The HttpOnly extension to cookies is now supported by IE, Firefox 3.0, and Opera. This article explains why HttpOnly is a good way to make cross-site scripting attacks significantly more difficult: http://www.codinghorror.com/blog/archives/001167.htmllop I'd really like to see this patch applied to Cookie.py.
msg72369 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2008-09-02 22:49
Well, I'm sorry but this a feature request and must be delayed for 2.7/3.1, since 2.6/3.0 are now in the release candidate phase. :-( (as for the patch, it would be nice if it added an unit test for the new feature)
msg72531 - (view) Author: Guido van Rossum (gvanrossum) * (Python committer) Date: 2008-09-04 22:08
To be honest, I don't see any harm in adding this now, especially since rc1 hasn't been released yet.
msg72535 - (view) Author: Benjamin Peterson (benjamin.peterson) * (Python committer) Date: 2008-09-04 22:30
Well, if it's to be added then the patch should be updated to use reST.
msg72620 - (view) Author: Matt Chisholm (glyphobet) Date: 2008-09-05 19:28
I have updated the diff to use reST for the docs. I removed the link to MSDN from the reST docs because it is broken and I could not find the article that it was intended to point to. I also slightly re-worded the paragraph describing httponly. I did not add any tests for the new feature as Antoine Pitrou requested, because the test for Cookie only tests SimpleCookie. It does not test expires, max-age, secure, or any of the other cookie attributes that Cookie.py sets. Testing httponly (or any of the other cookie attributes) would require rewriting most of the test.
msg72626 - (view) Author: Benjamin Peterson (benjamin.peterson) * (Python committer) Date: 2008-09-05 20:59
The patch looks good to me and I will apply it soon if there are not objections. Rewriting of Cookie's tests should probably be another issue.
msg72683 - (view) Author: Benjamin Peterson (benjamin.peterson) * (Python committer) Date: 2008-09-06 19:28
Ok. Applied in r66262.
History
Date User Action Args
2022-04-11 14:56:22 admin set github: 44486
2008-09-06 19:28:32 benjamin.peterson set status: open -> closedresolution: acceptedmessages: +
2008-09-05 20:59:48 benjamin.peterson set assignee: benjamin.petersonmessages: +
2008-09-05 19:28:38 glyphobet set files: + HttpOnlyCookies.diffmessages: +
2008-09-04 22:30:57 benjamin.peterson set nosy: + benjamin.petersonmessages: + versions: + Python 2.6, Python 3.0
2008-09-04 22:08:19 gvanrossum set nosy: + gvanrossummessages: +
2008-09-02 22:49:50 pitrou set nosy: + pitroutype: enhancementmessages: + versions: + Python 3.1, Python 2.7, - Python 2.6
2008-09-02 22:45:09 glyphobet set nosy: + glyphobetmessages: +
2007-01-17 20:07:38 arvins create