This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Title: http.cookies HttpOnly attribute does not use suggested case-style of HTTP standard
Type: behavior Stage: resolved
Components: Library (Lib) Versions: Python 3.4, Python 3.5
Status: closed Resolution: fixed
Dependencies: Superseder:
Assigned To: Nosy List: jdufresne, python-dev, r.david.murray
Priority: normal Keywords: patch

Created on 2015-01-16 14:25 by jdufresne, last changed 2022-04-11 14:58 by admin. This issue is now closed.

File name Uploaded Description Edit
http-only-case.patch jdufresne, 2015-01-16 14:26 Patch to correct case and tests review
Messages (2)
msg234132 - (view) Author: Jon Dufresne (jdufresne) * Date: 2015-01-16 14:25

Relevant section:


5.2.6. The HttpOnly Attribute

If the attribute-name case-insensitively matches the string HttpOnly", the user agent MUST append an attribute to the cookie-attribute-list with an attribute-name of HttpOnly and an empty attribute-value.


If the cookie-attribute-list contains an attribute with an attribute-name of "HttpOnly", set the cookie's http-only-flag to true. Otherwise, set the cookie's http-only-flag to false.


http.cookies creates this attribute as `httponly` not `HttpOnly`.

It is true, when interpreted by the user agent, this attribute is case insensitive, but it seems odd that Python would go out of its way to purposely use a different case then stated in the standard. When looking at other web technologies, the case used in the standard is most typical. The examples in the standard also use the `HttpOnly` style.

(Same applies to the Secure flag.)
msg234155 - (view) Author: Roundup Robot (python-dev) (Python triager) Date: 2015-01-17 01:46
New changeset 0d8380c493ad by Benjamin Peterson in branch '3.4':
capitialize "HttpOnly" and "Secure" as they appear in the standard and other impls (closes #23250)
Date User Action Args
2022-04-11 14:58:11adminsetgithub: 67439
2015-01-17 01:46:55python-devsetstatus: open -> closed

nosy: + python-dev
messages: + msg234155

resolution: fixed
stage: commit review -> resolved
2015-01-16 15:02:09r.david.murraysetnosy: + r.david.murray
stage: commit review

versions: + Python 3.4
2015-01-16 14:26:31jdufresnesetfiles: + http-only-case.patch
keywords: + patch
2015-01-16 14:25:00jdufresnecreate