----- Original Message ----
> From: Adam Prime <[email protected]>
> To: [email protected]
> Sent: Fri, November 12, 2010 11:07:42 PM
> Subject: Re: HttpOnly + [VOTE] T&R libapreq-2.13
>
> On 12/11/10 05:28 PM, Adam Prime wrote:
> >> All looks good. Waiting for someone with more legal knowledge than I to
> >> confirm that we can re-use the patch, and I'll commit to trunk.
> >>
> >> We may also want to do a release. With the small amount of development,
> >> it could be years until this sees the light of day if we wait to package
> >> more stuff into it :) 2.12 was released March, 2009, so I'd like to
> >> call a vote to T&R 2.13.
> >>
> >> [ ] Release 2.13 with the new HttpOnly cookie feature (once committed)
> >> [ ] Don't release 2.13 yet
> >>
> >
> > I have tests for the perl interface at home. I can send that patch later
> > this evening. I don't have a vote, but i'd vote for getting it out ;)
>
> The perl test is attached. One thing that should be noted about both
> these tests is that they only test HttpOnly on the outgoing Set-Cookie:
> header. From what i read, HttpOnly shouldn't exist on Cookie: headers
> coming from the client, and the patch from debian does not add support
> for parsing them out of Cookie: headers. I think known though, but i
> just wanted to make sure it was pointed out explicitly.
I don't think the HttpOnly flag comes back to the server via the Cookie
header, so that's ok. The patch does include support for an $HttpOnly
attribute for RFC-style cookies, but that's not called for in the documentation
on HttpOnly. We could omit that portion of the patch without loss.
