--- ../Zope2-2.12.0a4/src/Products/Sessions/BrowserIdManager.py 2009-04-24 08:59:42.000000000 +0000
+++ BrowserIdManager.py 2009-04-26 14:40:54.000000000 +0000
@@ -115,7 +115,7 @@
def __init__(self, id, title='', idname='_ZopeId',
location=('cookies', 'form'), cookiepath=('/'),
cookiedomain='', cookielifedays=0, cookiesecure=0,
- auto_url_encoding=0):
+ auto_url_encoding=0, cookiehttponly=0):
self.id = str(id)
self.title = str(title)
self.setBrowserIdName(idname)
@@ -124,6 +124,7 @@
self.setCookieDomain(cookiedomain)
self.setCookieLifeDays(cookielifedays)
self.setCookieSecure(cookiesecure)
+ self.setCookieHTTPOnly(cookiehttponly)
self.setAutoUrlEncoding(auto_url_encoding)
def manage_afterAdd(self, item, container):
@@ -278,7 +279,7 @@
def manage_changeBrowserIdManager(
self, title='', idname='_ZopeId', location=('cookies', 'form'),
cookiepath='/', cookiedomain='', cookielifedays=0, cookiesecure=0,
- auto_url_encoding=0, REQUEST=None
+ auto_url_encoding=0, cookiehttponly=0, REQUEST=None
):
""" """
self.title = str(title)
@@ -289,6 +290,7 @@
self.setCookieSecure(cookiesecure)
self.setBrowserIdNamespaces(location)
self.setAutoUrlEncoding(auto_url_encoding)
+ self.setCookieHTTPOnly(cookiehttponly)
self.updateTraversalData()
if REQUEST is not None:
msg = '/manage_browseridmgr?manage_tabs_message=Changes saved'
@@ -377,6 +379,14 @@
""" """
return self.cookie_domain
+ security.declareProtected(CHANGE_IDMGR_PERM, 'setCookieHTTPOnly')
+ def setCookieHTTPOnly(self, httponly):
+ self.cookie_httponly = not not httponly
+
+ security.declareProtected(ACCESS_CONTENTS_PERM, 'getCookieHTTPOnly')
+ def getCookieHTTPOnly(self):
+ return self.cookie_httponly
+
security.declareProtected(CHANGE_IDMGR_PERM, 'setCookieSecure')
def setCookieSecure(self, secure):
""" sets cookie 'secure' element for id cookie """
@@ -387,7 +397,7 @@
""" """
return self.cookie_secure
- security.declareProtected(CHANGE_IDMGR_PERM, 'setCookieSecure')
+ security.declareProtected(CHANGE_IDMGR_PERM, 'setAutoUrlEncoding')
def setAutoUrlEncoding(self, auto_url_encoding):
""" sets 'auto url encoding' on or off """
self.auto_url_encoding = not not auto_url_encoding
@@ -425,7 +435,8 @@
# Wdy, DD-Mon-YYYY HH:MM:SS GMT
expires = strftime('%a %d-%b-%Y %H:%M:%S GMT',gmtime(expires))
d = {'domain':self.cookie_domain,'path':self.cookie_path,
- 'secure':self.cookie_secure,'expires':expires}
+ 'secure':self.cookie_secure,'expires':expires,
+ 'httponly': self.cookie_httponly}
if self.cookie_secure:
URL1 = REQUEST.get('URL1', None)
--- ../Zope2-2.12.0a4/src/ZPublisher/HTTPResponse.py 2009-04-24 08:59:38.000000000 +0000
+++ HTTPResponse.py 2009-04-26 14:40:33.000000000 +0000
@@ -855,6 +855,9 @@
cookie = '%s; Comment=%s' % (cookie,v)
elif name == 'secure' and v:
cookie = '%s; Secure' % cookie
+ elif name == 'httponly' and v:
+ cookie = '%s; HTTPOnly' % cookie
+
cookie_list.append(cookie)
# Should really check size of cookies here!
--- ../Zope2-2.12.0a4/src/Products/Sessions/dtml/addIdManager.dtml 2009-04-24 08:59:42.000000000 +0000
+++ addIdManager.dtml 2009-04-26 14:40:54.000000000 +0000
@@ -150,7 +150,16 @@
-
+
+
+
+ Make cookie not aviable from JavaScript
+
+
+
+
+
+
--- ../Zope2-2.12.0a4/src/Products/Sessions/dtml/manageIdManager.dtml 2009-04-24 08:59:42.000000000 +0000
+++ manageIdManager.dtml 2009-04-26 14:40:54.000000000 +0000
@@ -135,6 +135,18 @@
+
+
+ Make cookie not aviable from JavaScript
+
+
+
+ CHECKED>
+
+
+
+