On Thu, Sep 4, 2008 at 2:31 PM, Matt Chisholm <[EMAIL PROTECTED]> wrote: > Eighteen months ago, Arvin Schnell contributed a really > straightforward three-line patch to Cookie.py adding support for the > HttpOnly flag on cookies: > > http://bugs.python.org/issue1638033 > > In the last eighteen months, HttpOnly has become a de-facto extension > to the cookie standard. It is now supported by IE 7, Firefox 3, and > Opera 9.5 (and there's a bug open against WebKit to support it): > > http://www.owasp.org/index.php/HTTPOnly > > Ruby, Perl, and PHP all support creating HttpOnly cookies now too. > > This article explains why HttpOnly is a good way to make cross-site > scripting (XSS) attacks significantly more difficult: > > http://www.codinghorror.com/blog/archives/001167.htmllop > > Unfortunately this patch appears to have been ignored for the last > year. > > The last thing I want is a delay in the release of 2.6/3.0, but > Antoine Pitrou posted on the bug that it will have to wait for Python > 2.7/3.1, because it is a feature request. If I'm not mistaken, that > means no support for HttpOnly until sometime in 2010.
I think we will try to shorten the release cycle for 2.7/3.1 so that it is closer to a year. > > Do we really have to wait two more years to apply a three-line patch > which will bring Python in line with the industry state of the art and > improve security for Python web applications? Is there a way that > this could go in to 2.6.1/3.0.1? Excepting it becoming a security issue, a BDFL or release manager pronouncement, or the Spanish Inquisition, no, I'm afraid not. > > -matt > > > _______________________________________________ > Python-Dev mailing list > Python-Dev@python.org > http://mail.python.org/mailman/listinfo/python-dev > Unsubscribe: > http://mail.python.org/mailman/options/python-dev/musiccomposition%40gmail.com > -- Cheers, Benjamin Peterson "There's no place like 127.0.0.1." _______________________________________________ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
