New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
MozillaCookieJar ignores HttpOnly cookies #46443
Comments
HttpOnly cookie in Firefox's cookies.txt begins with "#HttpOnly_" now, #HttpOnly_.rad.live.com TRUE / FALSE 1258200001 FC09 FB= Since no obvious need, there are no patches for save method and |
I think firefox 3 no longer writes cookies.txt (it writes cookies.sqlite Can anybody point out a version of firefox that wrote this HttpOnly |
MozillaCookieJar is now a class in http.cookiejar, so patch would need update. Is this still used enough to bother? |
Firefox no longer use cookies.txt. I think this patch is useless. |
Would you suggest removing MozillaCookieJar from the module? |
Is deprecation really necessary? lynx still uses that format. lynx doesn't write the header that MozillaCookieJar insists on being present, but a trivial subclass can read cookies files written by lynx. |
Dear all, In fact, this cookie.txt format is still used by curl. For instance, see https://github.com/bagder/curl/blob/curl-7_39_0/lib/cookie.c#L644 which clearly shows support for the "#HttpOnly_" prefix. Therefore, supporting this format in http.cookiejar.MozillaCookieJar seems quite relevant to me. Attached is an updated patch. Kind regards, |
Can this issue be reopened? As Jérémie stated, curl uses this format and outputs cookie files using the #HttpOnly_ prefix. I also found at least one project that is working around lack of this support: One potential improvement for the proposed patch: instead of just stripping out #HttpOnly_, this attribute should be set on the Cookie that is created, within the 'rest' dict (rest={'HttpOnly': True}). The Morsel class is already aware of this attribute, as is the 'requests.cookies' module. |
Also confused about why this was closed. This format is still frequently used. In the absence of a solution in the standard library, I'm using this kludge to strip the leading from tempfile import NamedTemporaryFile
from http.cookiejar import MozillaCookieJar
from contextlib import contextmanager
def fix_cookie_jar_file(orig_cookiejarfile):
with NamedTemporaryFile(mode='w+') as cjf:
with open(orig_cookiejarfile, 'r') as ocf:
for l in ocf:
cjf.write(l[10:] if l.startswith('#HttpOnly_') else l)
cjf.seek(0)
yield cjf.name
MozillaCookieJar(filename=fix_cookie_jar_file(orig_cookiejarfile)) |
This issue was closed as useless for Firefox in 2010 by the original poster, msg109958. My participation here is only as tracker triager, as I only have a consumer knowledge of cookies. Unfortunately, there is no core developer expert for http, let alone the http.cookiejar. The person who once handled some cookie related patches is no longer active. Adding a patch to a closed issue is somewhat useless. In any case, a possible revised PR would be needed. My suggestion is to ask on python-ideas whether this enhancement might be accepted now and whether better to reopen this issue or open a new one. |
I've got a patch that will address both loading and saving of "HTTP-only" cookies: master...dlenski:patch-1 Testing/feedback before I submit as a PR would be very welcome. |
@terry.reedy, it looks like my PR just needs a core developer to review it. Would you mind taking a look? :-) |
https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies |
So, is anything more needed, or should PR-22798 and this issue be closed? |
This can be closed. |
Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.
Show more details
GitHub fields:
bugs.python.org fields:
The text was updated successfully, but these errors were encountered: