classification
Title: http.cookies HttpOnly attribute does not use suggested case-style of HTTP standard
Type: behavior Stage: resolved
Components: Library (Lib) Versions: Python 3.5, Python 3.4
process
Status: closed Resolution: fixed
Dependencies: Superseder:
Assigned To: Nosy List: jdufresne, python-dev, r.david.murray
Priority: normal Keywords: patch

Created on 2015-01-16 14:25 by jdufresne, last changed 2015-01-17 01:46 by python-dev. This issue is now closed.

Files
File name Uploaded Description Edit
http-only-case.patch jdufresne, 2015-01-16 14:26 Patch to correct case and tests review
Messages (2)
msg234132 - (view) Author: Jon Dufresne (jdufresne) * Date: 2015-01-16 14:25
See http://tools.ietf.org/html/rfc6265#section-5.2.6

Relevant section:

---

5.2.6. The HttpOnly Attribute

If the attribute-name case-insensitively matches the string HttpOnly", the user agent MUST append an attribute to the cookie-attribute-list with an attribute-name of HttpOnly and an empty attribute-value.

...

If the cookie-attribute-list contains an attribute with an attribute-name of "HttpOnly", set the cookie's http-only-flag to true. Otherwise, set the cookie's http-only-flag to false.

---

http.cookies creates this attribute as `httponly` not `HttpOnly`.

It is true, when interpreted by the user agent, this attribute is case insensitive, but it seems odd that Python would go out of its way to purposely use a different case then stated in the standard. When looking at other web technologies, the case used in the standard is most typical. The examples in the standard also use the `HttpOnly` style.

(Same applies to the Secure flag.)
msg234155 - (view) Author: Roundup Robot (python-dev) Date: 2015-01-17 01:46
New changeset 0d8380c493ad by Benjamin Peterson in branch '3.4':
capitialize "HttpOnly" and "Secure" as they appear in the standard and other impls (closes #23250)
https://hg.python.org/cpython/rev/0d8380c493ad
History
Date User Action Args
2015-01-17 01:46:55python-devsetstatus: open -> closed

nosy: + python-dev
messages: + msg234155

resolution: fixed
stage: commit review -> resolved
2015-01-16 15:02:09r.david.murraysetnosy: + r.david.murray
stage: commit review

versions: + Python 3.4
2015-01-16 14:26:31jdufresnesetfiles: + http-only-case.patch
keywords: + patch
2015-01-16 14:25:00jdufresnecreate