This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Title: Add httponly to Cookie module
Type: enhancement Stage:
Components: Library (Lib) Versions: Python 3.0, Python 3.1, Python 2.7, Python 2.6
Status: closed Resolution: accepted
Dependencies: Superseder:
Assigned To: benjamin.peterson Nosy List: arvins, benjamin.peterson, glyphobet, gvanrossum, jimjjewett, jjlee, moese, pitrou
Priority: normal Keywords: patch

Created on 2007-01-17 20:07 by arvins, last changed 2022-04-11 14:56 by admin. This issue is now closed.

File name Uploaded Description Edit
python.diff arvins, 2007-01-19 17:01 Patch for svn trunk.
HttpOnlyCookies.diff glyphobet, 2008-09-05 19:28 revised patch against svn trunk using reST for the docs
Messages (15)
msg51757 - (view) Author: Arvin Schnell (arvins) Date: 2007-01-17 20:07
Add the Microsoft extension httponly to the
Cookie module.
msg51758 - (view) Author: Jim Jewett (jimjjewett) Date: 2007-01-19 15:06
The documentation change should say what the attribute does.  (It requests the the cookie be hidden from javascript, and available only to http requests.)
msg51759 - (view) Author: Arvin Schnell (arvins) Date: 2007-01-19 17:01
Sure, I have added some documentation to the patch.

File Added: python.diff
msg51760 - (view) Author: John J Lee (jjlee) Date: 2007-01-30 00:52
This is backwards-incompatible, no?  The behaviour of Morsel.set() changes (disallowing key="httponly") hence the behaviour of BaseCookie.__setitem__ changes.

Do you have a use case?
msg51761 - (view) Author: Arvin Schnell (arvins) Date: 2007-01-30 18:45
Anybody who sets a cookie with key="httponly" is likely in trouble.  I don't
know and can't check how the IE behaves in that case.  But disallowing this use
shouldn't hurt.

Use case: I would like to use the httponly attribute in Django.  I think it's
also useful for other web-frameworks.
msg51762 - (view) Author: John J Lee (jjlee) Date: 2007-01-31 23:17
I see.  That sounds reasonable, but I won't comment on whether it should be applied since this part of module Cookie didn't really make sense to me in the first place (I explain why in my comment of 2006-12-03 16:49 in
msg51763 - (view) Author: Arvin Schnell (arvins) Date: 2007-03-24 19:13
Maybe you are right about the cookie module. I'm not so much into that.

But I just read that Firefox 3.0 Alpha 3 finally has support for the httponly attribute (see so I think it's time that Python will also have the support.
msg51764 - (view) Author: Moese (moese) Date: 2007-08-05 19:42
Any word on this? I've tested the patch and it works. I'd like to use this in a Pylons application.
msg72368 - (view) Author: Matt Chisholm (glyphobet) Date: 2008-09-02 22:45
Any progress on this? This patch is extremely straightforward (only
three lines of code), and should not break existing code. 

The HttpOnly extension to cookies is now supported by IE, Firefox 3.0,
and Opera. 

This article explains why HttpOnly is a good way to make cross-site
scripting attacks significantly more difficult:

I'd really like to see this patch applied to
msg72369 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2008-09-02 22:49
Well, I'm sorry but this a feature request and must be delayed for
2.7/3.1, since 2.6/3.0 are now in the release candidate phase. :-(

(as for the patch, it would be nice if it added an unit test for the new
msg72531 - (view) Author: Guido van Rossum (gvanrossum) * (Python committer) Date: 2008-09-04 22:08
To be honest, I don't see any harm in adding this now, especially since
rc1 hasn't been released yet.
msg72535 - (view) Author: Benjamin Peterson (benjamin.peterson) * (Python committer) Date: 2008-09-04 22:30
Well, if it's to be added then the patch should be updated to use reST.
msg72620 - (view) Author: Matt Chisholm (glyphobet) Date: 2008-09-05 19:28
I have updated the diff to use reST for the docs.  I removed the link to
MSDN from the reST docs because it is broken and I could not find the
article that it was intended to point to.  I also slightly re-worded the
paragraph describing httponly.  

I did not add any tests for the new feature as Antoine Pitrou requested,
because the test for Cookie only tests SimpleCookie. It does not test
expires, max-age, secure, or any of the other cookie attributes that sets. Testing httponly (or any of the other cookie attributes)
would require rewriting most of the test.
msg72626 - (view) Author: Benjamin Peterson (benjamin.peterson) * (Python committer) Date: 2008-09-05 20:59
The patch looks good to me and I will apply it soon if there are not

Rewriting of Cookie's tests should probably be another issue.
msg72683 - (view) Author: Benjamin Peterson (benjamin.peterson) * (Python committer) Date: 2008-09-06 19:28
Ok. Applied in r66262.
Date User Action Args
2022-04-11 14:56:22adminsetgithub: 44486
2008-09-06 19:28:32benjamin.petersonsetstatus: open -> closed
resolution: accepted
messages: + msg72683
2008-09-05 20:59:48benjamin.petersonsetassignee: benjamin.peterson
messages: + msg72626
2008-09-05 19:28:38glyphobetsetfiles: + HttpOnlyCookies.diff
messages: + msg72620
2008-09-04 22:30:57benjamin.petersonsetnosy: + benjamin.peterson
messages: + msg72535
versions: + Python 2.6, Python 3.0
2008-09-04 22:08:19gvanrossumsetnosy: + gvanrossum
messages: + msg72531
2008-09-02 22:49:50pitrousetnosy: + pitrou
type: enhancement
messages: + msg72369
versions: + Python 3.1, Python 2.7, - Python 2.6
2008-09-02 22:45:09glyphobetsetnosy: + glyphobet
messages: + msg72368
2007-01-17 20:07:38arvinscreate