Index: Doc/lib/libcookie.tex
===================================================================
--- Doc/lib/libcookie.tex (revision 53494)
+++ Doc/lib/libcookie.tex (working copy)
@@ -138,8 +138,14 @@
\item \code{max-age}
\item \code{secure}
\item \code{version}
+\item \code{httponly}
\end{itemize}
+The attribute \code{httponly} is an extension by Microsoft. It specifies that
+the cookie is not accessible through script but only transfered in HTTP
+requests. This is intended to mitigate some forms of cross-site scripting, see
+\url{http://msdn.microsoft.com/workshop/author/dhtml/httponly_cookies.asp}.
+
The keys are case-insensitive.
\end{classdesc}
Index: Lib/Cookie.py
===================================================================
--- Lib/Cookie.py (revision 53494)
+++ Lib/Cookie.py (working copy)
@@ -408,6 +408,9 @@
# For historical reasons, these attributes are also reserved:
# expires
#
+ # This is an extension from Microsoft:
+ # httponly
+ #
# This dictionary provides a mapping from the lowercase
# variant on the left to the appropriate traditional
# formatting on the right.
@@ -417,6 +420,7 @@
"domain" : "Domain",
"max-age" : "Max-Age",
"secure" : "secure",
+ "httponly" : "httponly",
"version" : "Version",
}
@@ -499,6 +503,8 @@
RA("%s=%d" % (self._reserved[K], V))
elif K == "secure":
RA(str(self._reserved[K]))
+ elif K == "httponly":
+ RA(str(self._reserved[K]))
else:
RA("%s=%s" % (self._reserved[K], V))