[Python-Dev] patch for Cookie.py to add support for HttpOnly

Matt Chisholm matt-python at theory.org
Thu Sep 4 21:31:27 CEST 2008


Eighteen months ago, Arvin Schnell contributed a really
straightforward three-line patch to Cookie.py adding support for the
HttpOnly flag on cookies:

http://bugs.python.org/issue1638033

In the last eighteen months, HttpOnly has become a de-facto extension
to the cookie standard. It is now supported by IE 7, Firefox 3, and
Opera 9.5 (and there's a bug open against WebKit to support it):

http://www.owasp.org/index.php/HTTPOnly

Ruby, Perl, and PHP all support creating HttpOnly cookies now too. 

This article explains why HttpOnly is a good way to make cross-site
scripting (XSS) attacks significantly more difficult:

http://www.codinghorror.com/blog/archives/001167.htmllop

Unfortunately this patch appears to have been ignored for the last
year.

The last thing I want is a delay in the release of 2.6/3.0, but
Antoine Pitrou posted on the bug that it will have to wait for Python
2.7/3.1, because it is a feature request.  If I'm not mistaken, that
means no support for HttpOnly until sometime in 2010.

Do we really have to wait two more years to apply a three-line patch
which will bring Python in line with the industry state of the art and
improve security for Python web applications?  Is there a way that
this could go in to 2.6.1/3.0.1? 

-matt




More information about the Python-Dev mailing list