[New-bugs-announce] [issue23250] http.cookies HttpOnly attribute does not use suggested case-style of HTTP standard
Jon Dufresne
report at bugs.python.org
Fri Jan 16 15:25:00 CET 2015
New submission from Jon Dufresne:
See http://tools.ietf.org/html/rfc6265#section-5.2.6
Relevant section:
---
5.2.6. The HttpOnly Attribute
If the attribute-name case-insensitively matches the string HttpOnly", the user agent MUST append an attribute to the cookie-attribute-list with an attribute-name of HttpOnly and an empty attribute-value.
...
If the cookie-attribute-list contains an attribute with an attribute-name of "HttpOnly", set the cookie's http-only-flag to true. Otherwise, set the cookie's http-only-flag to false.
---
http.cookies creates this attribute as `httponly` not `HttpOnly`.
It is true, when interpreted by the user agent, this attribute is case insensitive, but it seems odd that Python would go out of its way to purposely use a different case then stated in the standard. When looking at other web technologies, the case used in the standard is most typical. The examples in the standard also use the `HttpOnly` style.
(Same applies to the Secure flag.)
----------
components: Library (Lib)
messages: 234132
nosy: jdufresne
priority: normal
severity: normal
status: open
title: http.cookies HttpOnly attribute does not use suggested case-style of HTTP standard
type: behavior
versions: Python 3.5
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue23250>
_______________________________________
More information about the New-bugs-announce
mailing list