Index: Doc/library/cookie.rst
===================================================================
--- Doc/library/cookie.rst	(revision 66233)
+++ Doc/library/cookie.rst	(working copy)
@@ -162,7 +162,14 @@
    * ``max-age``
    * ``secure``
    * ``version``
+   * ``httponly`` versionadded:: 2.6
 
+   The attribute :attr:`httponly` is an extension by Microsoft and is
+   supported by Internet Explorer 7, Firefox 3, and Opera 9.5. It
+   specifies that the cookie is only transfered in HTTP requests, and
+   is not accessible through JavaScript. This is intended to mitigate
+   some forms of cross-site scripting.
+
    The keys are case-insensitive.
 
 
Index: Lib/Cookie.py
===================================================================
--- Lib/Cookie.py	(revision 66233)
+++ Lib/Cookie.py	(working copy)
@@ -408,6 +408,9 @@
     # For historical reasons, these attributes are also reserved:
     #   expires
     #
+    # This is an extension from Microsoft:
+    #   httponly
+    #
     # This dictionary provides a mapping from the lowercase
     # variant on the left to the appropriate traditional
     # formatting on the right.
@@ -417,6 +420,7 @@
                    "domain"      : "Domain",
                    "max-age" : "Max-Age",
                    "secure"      : "secure",
+                   "httponly"  : "httponly",
                    "version" : "Version",
                    }
 
@@ -499,6 +503,8 @@
                 RA("%s=%d" % (self._reserved[K], V))
             elif K == "secure":
                 RA(str(self._reserved[K]))
+            elif K == "httponly":
+                RA(str(self._reserved[K]))
             else:
                 RA("%s=%s" % (self._reserved[K], V))