--- ../Zope2-2.12.0a4/src/Products/Sessions/BrowserIdManager.py 2009-04-24 08:59:42.000000000 +0000 +++ BrowserIdManager.py 2009-04-26 14:40:54.000000000 +0000 @@ -115,7 +115,7 @@ def __init__(self, id, title='', idname='_ZopeId', location=('cookies', 'form'), cookiepath=('/'), cookiedomain='', cookielifedays=0, cookiesecure=0, - auto_url_encoding=0): + auto_url_encoding=0, cookiehttponly=0): self.id = str(id) self.title = str(title) self.setBrowserIdName(idname) @@ -124,6 +124,7 @@ self.setCookieDomain(cookiedomain) self.setCookieLifeDays(cookielifedays) self.setCookieSecure(cookiesecure) + self.setCookieHTTPOnly(cookiehttponly) self.setAutoUrlEncoding(auto_url_encoding) def manage_afterAdd(self, item, container): @@ -278,7 +279,7 @@ def manage_changeBrowserIdManager( self, title='', idname='_ZopeId', location=('cookies', 'form'), cookiepath='/', cookiedomain='', cookielifedays=0, cookiesecure=0, - auto_url_encoding=0, REQUEST=None + auto_url_encoding=0, cookiehttponly=0, REQUEST=None ): """ """ self.title = str(title) @@ -289,6 +290,7 @@ self.setCookieSecure(cookiesecure) self.setBrowserIdNamespaces(location) self.setAutoUrlEncoding(auto_url_encoding) + self.setCookieHTTPOnly(cookiehttponly) self.updateTraversalData() if REQUEST is not None: msg = '/manage_browseridmgr?manage_tabs_message=Changes saved' @@ -377,6 +379,14 @@ """ """ return self.cookie_domain + security.declareProtected(CHANGE_IDMGR_PERM, 'setCookieHTTPOnly') + def setCookieHTTPOnly(self, httponly): + self.cookie_httponly = not not httponly + + security.declareProtected(ACCESS_CONTENTS_PERM, 'getCookieHTTPOnly') + def getCookieHTTPOnly(self): + return self.cookie_httponly + security.declareProtected(CHANGE_IDMGR_PERM, 'setCookieSecure') def setCookieSecure(self, secure): """ sets cookie 'secure' element for id cookie """ @@ -387,7 +397,7 @@ """ """ return self.cookie_secure - security.declareProtected(CHANGE_IDMGR_PERM, 'setCookieSecure') + security.declareProtected(CHANGE_IDMGR_PERM, 'setAutoUrlEncoding') def setAutoUrlEncoding(self, auto_url_encoding): """ sets 'auto url encoding' on or off """ self.auto_url_encoding = not not auto_url_encoding @@ -425,7 +435,8 @@ # Wdy, DD-Mon-YYYY HH:MM:SS GMT expires = strftime('%a %d-%b-%Y %H:%M:%S GMT',gmtime(expires)) d = {'domain':self.cookie_domain,'path':self.cookie_path, - 'secure':self.cookie_secure,'expires':expires} + 'secure':self.cookie_secure,'expires':expires, + 'httponly': self.cookie_httponly} if self.cookie_secure: URL1 = REQUEST.get('URL1', None) --- ../Zope2-2.12.0a4/src/ZPublisher/HTTPResponse.py 2009-04-24 08:59:38.000000000 +0000 +++ HTTPResponse.py 2009-04-26 14:40:33.000000000 +0000 @@ -855,6 +855,9 @@ cookie = '%s; Comment=%s' % (cookie,v) elif name == 'secure' and v: cookie = '%s; Secure' % cookie + elif name == 'httponly' and v: + cookie = '%s; HTTPOnly' % cookie + cookie_list.append(cookie) # Should really check size of cookies here! --- ../Zope2-2.12.0a4/src/Products/Sessions/dtml/addIdManager.dtml 2009-04-24 08:59:42.000000000 +0000 +++ addIdManager.dtml 2009-04-26 14:40:54.000000000 +0000 @@ -150,7 +150,16 @@ - + + +

+ Make cookie not aviable from JavaScript +

+ + + + + --- ../Zope2-2.12.0a4/src/Products/Sessions/dtml/manageIdManager.dtml 2009-04-24 08:59:42.000000000 +0000 +++ manageIdManager.dtml 2009-04-26 14:40:54.000000000 +0000 @@ -135,6 +135,18 @@ + +

+ Make cookie not aviable from JavaScript +

+ + + CHECKED> + + + +