Issue 23250: http.cookies HttpOnly attribute does not use suggested case-style of HTTP standard

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

This issue has been migrated to GitHub: https://github.com/python/cpython/issues/67439

classification

Title:	http.cookies HttpOnly attribute does not use suggested case-style of HTTP standard
Type:	behavior	Stage:	resolved
Components:	Library (Lib)	Versions:	Python 3.4, Python 3.5

process

Status:	closed	Resolution:	fixed
Dependencies:		Superseder:
Assigned To:		Nosy List:	jdufresne, python-dev, r.david.murray
Priority:	normal	Keywords:	patch

Created on 2015-01-16 14:25 by jdufresne, last changed 2022-04-11 14:58 by admin. This issue is now closed.

Files
File name	Uploaded	Description	Edit
http-only-case.patch	jdufresne, 2015-01-16 14:26	Patch to correct case and tests	review

Messages (2)
msg234132 - (view)	Author: Jon Dufresne (jdufresne) *	Date: 2015-01-16 14:25
See http://tools.ietf.org/html/rfc6265#section-5.2.6 Relevant section: --- 5.2.6. The HttpOnly Attribute If the attribute-name case-insensitively matches the string HttpOnly", the user agent MUST append an attribute to the cookie-attribute-list with an attribute-name of HttpOnly and an empty attribute-value. ... If the cookie-attribute-list contains an attribute with an attribute-name of "HttpOnly", set the cookie's http-only-flag to true. Otherwise, set the cookie's http-only-flag to false. --- http.cookies creates this attribute as `httponly` not `HttpOnly`. It is true, when interpreted by the user agent, this attribute is case insensitive, but it seems odd that Python would go out of its way to purposely use a different case then stated in the standard. When looking at other web technologies, the case used in the standard is most typical. The examples in the standard also use the `HttpOnly` style. (Same applies to the Secure flag.)
msg234155 - (view)	Author: Roundup Robot (python-dev)	Date: 2015-01-17 01:46
New changeset 0d8380c493ad by Benjamin Peterson in branch '3.4': capitialize "HttpOnly" and "Secure" as they appear in the standard and other impls (closes #23250) https://hg.python.org/cpython/rev/0d8380c493ad

History
Date	User	Action	Args
2022-04-11 14:58:11	admin	set	github: 67439
2015-01-17 01:46:55	python-dev	set	status: open -> closed nosy: + python-dev messages: + msg234155 resolution: fixed stage: commit review -> resolved
2015-01-16 15:02:09	r.david.murray	set	nosy: + r.david.murray stage: commit review versions: + Python 3.4
2015-01-16 14:26:31	jdufresne	set	files: + http-only-case.patch keywords: + patch
2015-01-16 14:25:00	jdufresne	create