Eighteen months ago, Arvin Schnell contributed a really straightforward three-line patch to Cookie.py adding support for the HttpOnly flag on cookies: http://bugs.python.org/issue1638033 In the last eighteen months, HttpOnly has become a de-facto extension to the cookie standard. It is now supported by IE 7, Firefox 3, and Opera 9.5 (and there's a bug open against WebKit to support it): http://www.owasp.org/index.php/HTTPOnly Ruby, Perl, and PHP all support creating HttpOnly cookies now too. This article explains why HttpOnly is a good way to make cross-site scripting (XSS) attacks significantly more difficult: http://www.codinghorror.com/blog/archives/001167.htmllop Unfortunately this patch appears to have been ignored for the last year. The last thing I want is a delay in the release of 2.6/3.0, but Antoine Pitrou posted on the bug that it will have to wait for Python 2.7/3.1, because it is a feature request. If I'm not mistaken, that means no support for HttpOnly until sometime in 2010. Do we really have to wait two more years to apply a three-line patch which will bring Python in line with the industry state of the art and improve security for Python web applications? Is there a way that this could go in to 2.6.1/3.0.1? -matt
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4