Addeed support for an optional 'HTTPOnly' attribute of cookies

o See http://www.owasp.org/index.php/HTTPOnly for a description of the attribute. o Patch from Stephan Hofmockel via https://bugs.launchpad.net/zope2/+bug/367393

Addeed support for an optional 'HTTPOnly' attribute of cookies
o See http://www.owasp.org/index.php/HTTPOnly for a description of the attribute. o Patch from Stephan Hofmockel via https://bugs.launchpad.net/zope2/+bug/367393
fc6779e8 · Tres Seaver · aad78f22 · fc6779e8 · fc6779e8 · fc6779e8
Commit fc6779e8 authored Apr 28, 2009 by Tres Seaver
Showing with 35 additions and 0 deletions

doc/CHANGES.rst doc/CHANGES.rst +7 -0

src/ZPublisher/HTTPResponse.py src/ZPublisher/HTTPResponse.py +4 -0

src/ZPublisher/tests/testHTTPResponse.py src/ZPublisher/tests/testHTTPResponse.py +24 -0

No files found.
--- a/doc/CHANGES.rst
+++ b/doc/CHANGES.rst
@@ -18,6 +18,13 @@ Restructuring
 - Removed the dependency on `zope.app.testing` in favor of providing a more
  minimal placeless setup as part of ZopeTestCase for our own tests.
+Features Added
++++++++++++++
+- Addeed support for an optional 'HTTPOnly' attribute of cookies (see
+  http://www.owasp.org/index.php/HTTPOnly).  Patch from Stephan Hofmockel,
+  via https://bugs.launchpad.net/zope2/+bug/367393 .
 Bugs Fixed
 ++++++++++

--- a/src/ZPublisher/HTTPResponse.py
+++ b/src/ZPublisher/HTTPResponse.py
@@ -857,6 +857,10 @@ class HTTPResponse(BaseResponse):
                    cookie = '%s; Comment=%s' % (cookie,v)
                elif name == 'secure' and v:
                    cookie = '%s; Secure' % cookie
+                # Some browsers recognize this cookie attribute
+                # and block read/write access via JavaScript
+                elif name == 'http_only' and v:
+                    cookie = '%s; HTTPOnly' % cookie
            cookie_list.append(cookie)
        # Should really check size of cookies here!

--- a/src/ZPublisher/tests/testHTTPResponse.py
+++ b/src/ZPublisher/tests/testHTTPResponse.py
@@ -125,6 +125,30 @@ class HTTPResponseTests(unittest.TestCase):
        self.assertEqual(cookie.get('max_age'), 0)
        self.assertEqual(cookie.get('path'), '/')
+    def test_setCookie_w_httponly_true_value(self):
+        response = self._makeOne()
+        response.setCookie('foo', 'bar', http_only=True)
+        cookie = response.cookies.get('foo', None)
+        self.assertEqual(len(cookie), 2)
+        self.assertEqual(cookie.get('value'), 'bar')
+        self.assertEqual(cookie.get('http_only'), True)
+        cookie_list = response._cookie_list()
+        self.assertEqual(len(cookie_list), 1)
+        self.assertEqual(cookie_list[0], 'Set-Cookie: foo="bar"; HTTPOnly')
+    def test_setCookie_w_httponly_false_value(self):
+        response = self._makeOne()
+        response.setCookie('foo', 'bar', http_only=False)
+        cookie = response.cookies.get('foo', None)
+        self.assertEqual(len(cookie), 2)
+        self.assertEqual(cookie.get('value'), 'bar')
+        self.assertEqual(cookie.get('http_only'), False)
+        cookie_list = response._cookie_list()
+        self.assertEqual(len(cookie_list), 1)
+        self.assertEqual(cookie_list[0], 'Set-Cookie: foo="bar"')
    def test_expireCookie1160(self):
        # Verify that the cookie is expired even if an expires kw arg is passed
        # http://zope.org/Collectors/Zope/1160