Comment 5 for bug 367393

Revision history for this message
stephan_hofmockel (dreagonfly) wrote :

Sorry for the upload crap :(

 1) How should a good test look like for HTTPResponse ?? My current test calls HTTPResponse._cookie_list() directly and parses the output with regex.

 2) This attribute prevents cookie access from JavaScript. So it is more difficult for malicious JavaScript code to hijack the session, with sending the current session-cookie to the attacker.
You are right, most of the time data in a session is not critical and a attacker with a valid sessionID gains nothing.
Unfortunately our application saves critical data in the session and uses (not only) this "special"-cookie for protection.

I know this feature depends heavily on browser support and assists the "save critical data in a session" programming style. Nevertheless sometimes its unavoidable and other applications outside can profit from this additional attribute.