Commits

Anonymous committed 47f4cf8

0.13dev: Enable the `httponly` attribute on all cookies when running Python >= 2.6.

Initial patch by Juha Mustonen. Closes #10453.

  • Participants
  • Parent commits bf0e7fd

Comments (0)

Files changed (3)

                                              or req.base_path or '/'
         if self.env.secure_cookies:
             req.outcookie['trac_auth']['secure'] = True
+        if sys.version_info >= (2, 6):
+            req.outcookie['trac_auth']['httponly'] = True
         if self.auth_cookie_lifetime > 0:
             req.outcookie['trac_auth']['expires'] = self.auth_cookie_lifetime
 
         req.outcookie['trac_auth']['expires'] = -10000
         if self.env.secure_cookies:
             req.outcookie['trac_auth']['secure'] = True
+        if sys.version_info >= (2, 6):
+            req.outcookie['trac_auth']['httponly'] = True
 
     def _cookie_to_name(self, req, cookie):
         # This is separated from _get_name_for_cookie(), because the
             req.outcookie['trac_form_token']['path'] = req.base_path or '/'
             if self.env.secure_cookies:
                 req.outcookie['trac_form_token']['secure'] = True
+            if sys.version_info >= (2, 6):
+                req.outcookie['trac_form_token']['httponly'] = True
             return req.outcookie['trac_form_token'].value
 
     def _pre_process_request(self, req, chosen_handler):

trac/web/session.py

 
 from __future__ import with_statement
 
+import sys
 import time
 
 from trac.admin.api import console_date_format
         self.req.outcookie[COOKIE_KEY]['expires'] = expires
         if self.env.secure_cookies:
             self.req.outcookie[COOKIE_KEY]['secure'] = True
+        if sys.version_info >= (2, 6):
+            self.req.outcookie[COOKIE_KEY]['httponly'] = True
 
     def get_session(self, sid, authenticated=False):
         refresh_cookie = False