#1638033: add support for httponly on Cookie.Morsel

Reviewer: Benjamin

#1638033: add support for httponly on Cookie.Morsel
Reviewer: Benjamin
6ac7d7c8 · Benjamin Peterson · 810f807b · 6ac7d7c8 · 6ac7d7c8 · 6ac7d7c8
Commit 6ac7d7c8 authored Sep 06, 2008 by Benjamin Peterson
Hide whitespace changes
Inline Side-by-side

Showing with 18 additions and 1 deletion

Doc/library/cookie.rst Doc/library/cookie.rst +9 -1

Lib/Cookie.py Lib/Cookie.py +6 -0

Misc/ACKS Misc/ACKS +1 -0

Misc/NEWS Misc/NEWS +2 -0

No files found.
--- a/Doc/library/cookie.rst
+++ b/Doc/library/cookie.rst
@@ -148,7 +148,7 @@ Morsel Objects
 --------------


-.. class:: Morsel()
+.. class:: Morsel

   Abstract a key/value pair, which has some :rfc:`2109` attributes.

@@ -162,9 +162,17 @@ Morsel Objects
   * ``max-age``
   * ``secure``
   * ``version``
+   * ``httponly``
+
+   The attribute :attr:`httponly` specifies that the cookie is only transfered
+   in HTTP requests, and is not accessible through JavaScript. This is intended
+   to mitigate some forms of cross-site scripting.

   The keys are case-insensitive.

+   .. versionadded:: 2.6
+      The :attr:`httponly` attribute was added.
+

 .. attribute:: Morsel.value


--- a/Lib/Cookie.py
+++ b/Lib/Cookie.py
@@ -408,6 +408,9 @@ class Morsel(dict):
    # For historical reasons, these attributes are also reserved:
    #   expires
    #
+    # This is an extension from Microsoft:
+    #   httponly
+    #
    # This dictionary provides a mapping from the lowercase
    # variant on the left to the appropriate traditional
    # formatting on the right.
@@ -417,6 +420,7 @@ class Morsel(dict):
                   "domain"      : "Domain",
                   "max-age" : "Max-Age",
                   "secure"      : "secure",
+                   "httponly"  : "httponly",
                   "version" : "Version",
                   }

@@ -499,6 +503,8 @@ class Morsel(dict):
                RA("%s=%d" % (self._reserved[K], V))
            elif K == "secure":
                RA(str(self._reserved[K]))
+            elif K == "httponly":
+                RA(str(self._reserved[K]))
            else:
                RA("%s=%s" % (self._reserved[K], V))


--- a/Misc/ACKS
+++ b/Misc/ACKS
@@ -122,6 +122,7 @@ Nicolas Chauvat
 Michael Chermside
 Albert Chin-A-Young
 Adal Chiriliuc
+Matt Chisholm
 Tom Christiansen
 Vadim Chugunov
 David Cinege

--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -56,6 +56,8 @@ C-API
 Library
 -------

+- Issue #1638033: Cookie.Morsel gained the httponly attribute.
+
 - Issue #3535: zipfile couldn't read some zip files larger than 2GB.

 - Issue #3776: Deprecate the bsddb package for removal in 3.0.