Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add httponly to Cookie module #44486

Closed
arvins mannequin opened this issue Jan 17, 2007 · 15 comments
Closed

Add httponly to Cookie module #44486

arvins mannequin opened this issue Jan 17, 2007 · 15 comments
Assignees
@benjaminp
Labels
stdlib Python modules in the Lib dir type-feature A feature request or enhancement

Comments

@arvins
Copy link
Mannequin

arvins mannequin commented Jan 17, 2007

BPO 1638033
Nosy @gvanrossum, @pitrou, @benjaminp
Files
  • python.diff: Patch for svn trunk.
  • HttpOnlyCookies.diff: revised patch against svn trunk using reST for the docs
    		•

    Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.

    Show more details

    GitHub fields:

    assignee = 'https://github.com/benjaminp'
closed_at = <Date 2008-09-06.19:28:32.910>
created_at = <Date 2007-01-17.20:07:38.000>
labels = ['type-feature', 'library']
title = 'Add httponly to Cookie module'
updated_at = <Date 2008-09-06.19:28:32.909>
user = 'https://bugs.python.org/arvins'

    bugs.python.org fields:

    activity = <Date 2008-09-06.19:28:32.909>
actor = 'benjamin.peterson'
assignee = 'benjamin.peterson'
closed = True
closed_date = <Date 2008-09-06.19:28:32.910>
closer = 'benjamin.peterson'
components = ['Library (Lib)']
creation = <Date 2007-01-17.20:07:38.000>
creator = 'arvins'
dependencies = []
files = ['7728', '11396']
hgrepos = []
issue_num = 1638033
keywords = ['patch']
message_count = 15.0
messages = ['51757', '51758', '51759', '51760', '51761', '51762', '51763', '51764', '72368', '72369', '72531', '72535', '72620', '72626', '72683']
nosy_count = 8.0
nosy_names = ['gvanrossum', 'jjlee', 'jimjjewett', 'pitrou', 'moese', 'arvins', 'benjamin.peterson', 'glyphobet']
pr_nums = []
priority = 'normal'
resolution = 'accepted'
stage = None
status = 'closed'
superseder = None
type = 'enhancement'
url = 'https://bugs.python.org/issue1638033'
versions = ['Python 2.6', 'Python 3.0', 'Python 3.1', 'Python 2.7']
    @arvins
    Copy link
    Mannequin Author

    arvins mannequin commented Jan 17, 2007

    Add the Microsoft extension httponly to the
    Cookie module.

    @arvins arvins mannequin added stdlib Python modules in the Lib dir labels Jan 17, 2007
    @jimjjewett
    Copy link
    Mannequin

    jimjjewett mannequin commented Jan 19, 2007

    The documentation change should say what the attribute does. (It requests the the cookie be hidden from javascript, and available only to http requests.)

    @arvins
    Copy link
    Mannequin Author

    arvins mannequin commented Jan 19, 2007

    Sure, I have added some documentation to the patch.

    File Added: python.diff

    @jjlee
    Copy link
    Mannequin

    jjlee mannequin commented Jan 30, 2007

    This is backwards-incompatible, no? The behaviour of Morsel.set() changes (disallowing key="httponly") hence the behaviour of BaseCookie.__setitem__ changes.

    Do you have a use case?

    @arvins
    Copy link
    Mannequin Author

    arvins mannequin commented Jan 30, 2007

    Anybody who sets a cookie with key="httponly" is likely in trouble. I don't
    know and can't check how the IE behaves in that case. But disallowing this use
    shouldn't hurt.

    Use case: I would like to use the httponly attribute in Django. I think it's
    also useful for other web-frameworks.

    @jjlee
    Copy link
    Mannequin

    jjlee mannequin commented Jan 31, 2007

    I see. That sounds reasonable, but I won't comment on whether it should be applied since this part of module Cookie didn't really make sense to me in the first place (I explain why in my comment of 2006-12-03 16:49 in http://python.org/sf/1372650).

    @arvins
    Copy link
    Mannequin Author

    arvins mannequin commented Mar 24, 2007

    Maybe you are right about the cookie module. I'm not so much into that.

    But I just read that Firefox 3.0 Alpha 3 finally has support for the httponly attribute (see http://www.mozilla.org/projects/firefox/3.0a3/releasenotes/) so I think it's time that Python will also have the support.

    @moese
    Copy link
    Mannequin

    moese mannequin commented Aug 5, 2007

    Any word on this? I've tested the patch and it works. I'd like to use this in a Pylons application.

    @glyphobet
    Copy link
    Mannequin

    glyphobet mannequin commented Sep 2, 2008

    Any progress on this? This patch is extremely straightforward (only
    three lines of code), and should not break existing code.

    The HttpOnly extension to cookies is now supported by IE, Firefox 3.0,
    and Opera.

    This article explains why HttpOnly is a good way to make cross-site
    scripting attacks significantly more difficult:

    http://www.codinghorror.com/blog/archives/001167.htmllop

    I'd really like to see this patch applied to Cookie.py.

    @pitrou
    Copy link
    Member

    pitrou commented Sep 2, 2008

    Well, I'm sorry but this a feature request and must be delayed for
    2.7/3.1, since 2.6/3.0 are now in the release candidate phase. :-(

    (as for the patch, it would be nice if it added an unit test for the new
    feature)

    @pitrou pitrou added type-feature A feature request or enhancement labels Sep 2, 2008
    @gvanrossum
    Copy link
    Member

    To be honest, I don't see any harm in adding this now, especially since
    rc1 hasn't been released yet.

    @benjaminp
    Copy link
    Contributor

    Well, if it's to be added then the patch should be updated to use reST.

    @glyphobet
    Copy link
    Mannequin

    glyphobet mannequin commented Sep 5, 2008

    I have updated the diff to use reST for the docs. I removed the link to
    MSDN from the reST docs because it is broken and I could not find the
    article that it was intended to point to. I also slightly re-worded the
    paragraph describing httponly.

    I did not add any tests for the new feature as Antoine Pitrou requested,
    because the test for Cookie only tests SimpleCookie. It does not test
    expires, max-age, secure, or any of the other cookie attributes that
    Cookie.py sets. Testing httponly (or any of the other cookie attributes)
    would require rewriting most of the test.

    @benjaminp
    Copy link
    Contributor

    The patch looks good to me and I will apply it soon if there are not
    objections.

    Rewriting of Cookie's tests should probably be another issue.

    @benjaminp
    Copy link
    Contributor

    Ok. Applied in r66262.

    @ezio-melotti ezio-melotti transferred this issue from another repository Apr 10, 2022
    Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
    Assignees

    @benjaminp benjaminp

    Labels
    stdlib Python modules in the Lib dir type-feature A feature request or enhancement
    Projects
    None yet
    Milestone
    No milestone
    Development

    No branches or pull requests
    3 participants
    @benjaminp @pitrou @gvanrossum