Commit fc6779e8 authored by Tres Seaver's avatar Tres Seaver

Addeed support for an optional 'HTTPOnly' attribute of cookies

o See http://www.owasp.org/index.php/HTTPOnly for a description of the
  attribute.
  
o Patch from Stephan Hofmockel via https://bugs.launchpad.net/zope2/+bug/367393 
parent aad78f22
...@@ -18,6 +18,13 @@ Restructuring ...@@ -18,6 +18,13 @@ Restructuring
- Removed the dependency on `zope.app.testing` in favor of providing a more - Removed the dependency on `zope.app.testing` in favor of providing a more
minimal placeless setup as part of ZopeTestCase for our own tests. minimal placeless setup as part of ZopeTestCase for our own tests.
Features Added
++++++++++++++
- Addeed support for an optional 'HTTPOnly' attribute of cookies (see
http://www.owasp.org/index.php/HTTPOnly). Patch from Stephan Hofmockel,
via https://bugs.launchpad.net/zope2/+bug/367393 .
Bugs Fixed Bugs Fixed
++++++++++ ++++++++++
......
...@@ -857,6 +857,10 @@ class HTTPResponse(BaseResponse): ...@@ -857,6 +857,10 @@ class HTTPResponse(BaseResponse):
cookie = '%s; Comment=%s' % (cookie,v) cookie = '%s; Comment=%s' % (cookie,v)
elif name == 'secure' and v: elif name == 'secure' and v:
cookie = '%s; Secure' % cookie cookie = '%s; Secure' % cookie
# Some browsers recognize this cookie attribute
# and block read/write access via JavaScript
elif name == 'http_only' and v:
cookie = '%s; HTTPOnly' % cookie
cookie_list.append(cookie) cookie_list.append(cookie)
# Should really check size of cookies here! # Should really check size of cookies here!
......
...@@ -125,6 +125,30 @@ class HTTPResponseTests(unittest.TestCase): ...@@ -125,6 +125,30 @@ class HTTPResponseTests(unittest.TestCase):
self.assertEqual(cookie.get('max_age'), 0) self.assertEqual(cookie.get('max_age'), 0)
self.assertEqual(cookie.get('path'), '/') self.assertEqual(cookie.get('path'), '/')
def test_setCookie_w_httponly_true_value(self):
response = self._makeOne()
response.setCookie('foo', 'bar', http_only=True)
cookie = response.cookies.get('foo', None)
self.assertEqual(len(cookie), 2)
self.assertEqual(cookie.get('value'), 'bar')
self.assertEqual(cookie.get('http_only'), True)
cookie_list = response._cookie_list()
self.assertEqual(len(cookie_list), 1)
self.assertEqual(cookie_list[0], 'Set-Cookie: foo="bar"; HTTPOnly')
def test_setCookie_w_httponly_false_value(self):
response = self._makeOne()
response.setCookie('foo', 'bar', http_only=False)
cookie = response.cookies.get('foo', None)
self.assertEqual(len(cookie), 2)
self.assertEqual(cookie.get('value'), 'bar')
self.assertEqual(cookie.get('http_only'), False)
cookie_list = response._cookie_list()
self.assertEqual(len(cookie_list), 1)
self.assertEqual(cookie_list[0], 'Set-Cookie: foo="bar"')
def test_expireCookie1160(self): def test_expireCookie1160(self):
# Verify that the cookie is expired even if an expires kw arg is passed # Verify that the cookie is expired even if an expires kw arg is passed
# http://zope.org/Collectors/Zope/1160 # http://zope.org/Collectors/Zope/1160
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment