----- Original Message ---- > From: Adam Prime <adam.pr...@utoronto.ca> > To: apreq-dev@httpd.apache.org > Sent: Fri, November 12, 2010 11:07:42 PM > Subject: Re: HttpOnly + [VOTE] T&R libapreq-2.13 > > On 12/11/10 05:28 PM, Adam Prime wrote: > >> All looks good. Waiting for someone with more legal knowledge than I to > >> confirm that we can re-use the patch, and I'll commit to trunk. > >> > >> We may also want to do a release. With the small amount of development, > >> it could be years until this sees the light of day if we wait to package > >> more stuff into it :) 2.12 was released March, 2009, so I'd like to > >> call a vote to T&R 2.13. > >> > >> [ ] Release 2.13 with the new HttpOnly cookie feature (once committed) > >> [ ] Don't release 2.13 yet > >> > > > > I have tests for the perl interface at home. I can send that patch later > > this evening. I don't have a vote, but i'd vote for getting it out ;) > > The perl test is attached. One thing that should be noted about both > these tests is that they only test HttpOnly on the outgoing Set-Cookie: > header. From what i read, HttpOnly shouldn't exist on Cookie: headers > coming from the client, and the patch from debian does not add support > for parsing them out of Cookie: headers. I think known though, but i > just wanted to make sure it was pointed out explicitly.
I don't think the HttpOnly flag comes back to the server via the Cookie header, so that's ok. The patch does include support for an $HttpOnly attribute for RFC-style cookies, but that's not called for in the documentation on HttpOnly. We could omit that portion of the patch without loss.