httponly for cookies
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Zope 2 |
Fix Released
|
Undecided
|
Tres Seaver |
Bug Description
Hi,
in our application we are useing the 'HTTPOnly' attribute for cookies (http://
to protect the cookie from JavaScript access.
We currently patch the Zope2 like the changes in the attachment. The diff in the attachment is done against Zope2-2.12.0a4 and does two things
1) HTTPResponse knows the cookie attribute 'HTTPOnly' and add it to the header
2) Add a option in BrowserIdManager.py to autoadd the 'HTTPOnly' attritube for cookies used by sessions
Is there a chance, that the 'HTTPOnly'
Cheers,
Stephan
PS: I dont know the 'formalism' how to add a feature-request for Zope2. Please criticise me if this way is wrong.
Your patch is totally unreadable (including by reading the HTML sources).
The patch is possibly of interest - the chance are bigger to have it included in Zope 2.12 with some tests :-)
However we need a readable version of the patch first.