Index: Doc/lib/libcookie.tex
===================================================================
--- Doc/lib/libcookie.tex	(revision 53494)
+++ Doc/lib/libcookie.tex	(working copy)
@@ -138,8 +138,14 @@
 \item \code{max-age}
 \item \code{secure}
 \item \code{version}
+\item \code{httponly} (\versionadded{2.6})
 \end{itemize}
 
+The attribute \code{httponly} is an extension by Microsoft. It specifies that
+the cookie is not accessible through script but only transfered in HTTP
+requests. This is intended to mitigate some forms of cross-site scripting, see
+\url{http://msdn.microsoft.com/workshop/author/dhtml/httponly_cookies.asp}.
+
 The keys are case-insensitive.
 \end{classdesc}
 
Index: Lib/Cookie.py
===================================================================
--- Lib/Cookie.py	(revision 53494)
+++ Lib/Cookie.py	(working copy)
@@ -408,6 +408,9 @@
     # For historical reasons, these attributes are also reserved:
     #   expires
     #
+    # This is an extension from Microsoft:
+    #   httponly
+    #
     # This dictionary provides a mapping from the lowercase
     # variant on the left to the appropriate traditional
     # formatting on the right.
@@ -417,6 +420,7 @@
                    "domain"      : "Domain",
                    "max-age" : "Max-Age",
                    "secure"      : "secure",
+                   "httponly"  : "httponly",
                    "version" : "Version",
                    }
 
@@ -499,6 +503,8 @@
                 RA("%s=%d" % (self._reserved[K], V))
             elif K == "secure":
                 RA(str(self._reserved[K]))
+            elif K == "httponly":
+                RA(str(self._reserved[K]))
             else:
                 RA("%s=%s" % (self._reserved[K], V))