[ http://issues.apache.org/jira/browse/MODPYTHON-108?page=all ]
Graham Dumpleton resolved MODPYTHON-108:

    Fix Version: 3.3
     Resolution: Fixed

At the technical level, it appears to mark up cookie as it is meant to. Thus 
change has been committed and marked resolved. It really needs someone who 
understands how this thing is used to actually put it into practice and come 
back and say that it does as advertised in preventing cross site scripting 

> Let Cookie support new HttpOnly property to prevent cross-site cookie stealing
> ------------------------------------------------------------------------------
>          Key: MODPYTHON-108
>          URL: http://issues.apache.org/jira/browse/MODPYTHON-108
>      Project: mod_python
>         Type: Improvement

>   Components: core
>     Versions: 3.2.7, 3.1.4, 3.3
>     Reporter: Deron Meranda
>     Assignee: Graham Dumpleton
>     Priority: Minor
>      Fix For: 3.3
>  Attachments: MP108_20060427_grahamd_1.diff
> The Cookie.Cookie class does not allow the new "httponly" cookie property to 
> be set.  It needs to be added to the valid slots on the cookie metaclass.  
> Also note that like the "secure" cookie attribute, it is simple a boolean 
> flag without any value.
> The HttpOnly flag was invented by Microsoft but seeing widespread support as 
> a way to prevent cross-site scripting from stealing cookies using client-side 
> Javascript.  This is especially important for security-sensitive cookies, 
> such as session keys.
> The mod_python session object should also explicitly set the HttpOnly 
> property on the cookies it creates.
> See also these related references:
> 1. http://msdn.microsoft.com/workshop/author/dhtml/httponly_cookies.asp
> 2. 
> http://search.cpan.org/~mschout/Apache-AuthCookie-3.08/lib/Apache2/AuthCookie.pm
> 3. https://bugzilla.mozilla.org/show_bug.cgi?id=178993
> 4. 
> http://www.linux.com/howtos/Secure-Programs-HOWTO/cross-site-malicious-content.shtml

This message is automatically generated by JIRA.
If you think it was sent incorrectly contact one of the administrators:
For more information on JIRA, see:

Reply via email to