[Zope-Checkins] SVN: Zope/trunk/ Addeed support for an optional 'HTTPOnly' attribute of cookies

[Tres Seaver]

Log message for revision 99561:
  Addeed support for an optional 'HTTPOnly' attribute of cookies
  
  o See http://www.owasp.org/index.php/HTTPOnly for a description of the
    attribute.
    
  o Patch from Stephan Hofmockel via https://bugs.launchpad.net/zope2/+bug/367393 
  

Changed:
  U   Zope/trunk/doc/CHANGES.rst
  U   Zope/trunk/src/ZPublisher/HTTPResponse.py
  U   Zope/trunk/src/ZPublisher/tests/testHTTPResponse.py

-=-
Modified: Zope/trunk/doc/CHANGES.rst
===================================================================
--- Zope/trunk/doc/CHANGES.rst	2009-04-28 15:28:49 UTC (rev 99560)
+++ Zope/trunk/doc/CHANGES.rst	2009-04-28 16:50:18 UTC (rev 99561)
@@ -18,6 +18,13 @@
 - Removed the dependency on `zope.app.testing` in favor of providing a more
   minimal placeless setup as part of ZopeTestCase for our own tests.
 
+Features Added
+++++++++++++++
+
+- Addeed support for an optional 'HTTPOnly' attribute of cookies (see
+  http://www.owasp.org/index.php/HTTPOnly).  Patch from Stephan Hofmockel,
+  via https://bugs.launchpad.net/zope2/+bug/367393 .
+
 Bugs Fixed
 ++++++++++
 

Modified: Zope/trunk/src/ZPublisher/HTTPResponse.py
===================================================================
--- Zope/trunk/src/ZPublisher/HTTPResponse.py	2009-04-28 15:28:49 UTC (rev 99560)
+++ Zope/trunk/src/ZPublisher/HTTPResponse.py	2009-04-28 16:50:18 UTC (rev 99561)
@@ -857,6 +857,10 @@
                     cookie = '%s; Comment=%s' % (cookie,v)
                 elif name == 'secure' and v:
                     cookie = '%s; Secure' % cookie
+                # Some browsers recognize this cookie attribute
+                # and block read/write access via JavaScript
+                elif name == 'http_only' and v:
+                    cookie = '%s; HTTPOnly' % cookie
             cookie_list.append(cookie)
 
         # Should really check size of cookies here!

Modified: Zope/trunk/src/ZPublisher/tests/testHTTPResponse.py
===================================================================
--- Zope/trunk/src/ZPublisher/tests/testHTTPResponse.py	2009-04-28 15:28:49 UTC (rev 99560)
+++ Zope/trunk/src/ZPublisher/tests/testHTTPResponse.py	2009-04-28 16:50:18 UTC (rev 99561)
@@ -125,6 +125,30 @@
         self.assertEqual(cookie.get('max_age'), 0)
         self.assertEqual(cookie.get('path'), '/')
 
+    def test_setCookie_w_httponly_true_value(self):
+        response = self._makeOne()
+        response.setCookie('foo', 'bar', http_only=True)
+        cookie = response.cookies.get('foo', None)
+        self.assertEqual(len(cookie), 2)
+        self.assertEqual(cookie.get('value'), 'bar')
+        self.assertEqual(cookie.get('http_only'), True)
+
+        cookie_list = response._cookie_list()
+        self.assertEqual(len(cookie_list), 1)
+        self.assertEqual(cookie_list[0], 'Set-Cookie: foo="bar"; HTTPOnly')
+
+    def test_setCookie_w_httponly_false_value(self):
+        response = self._makeOne()
+        response.setCookie('foo', 'bar', http_only=False)
+        cookie = response.cookies.get('foo', None)
+        self.assertEqual(len(cookie), 2)
+        self.assertEqual(cookie.get('value'), 'bar')
+        self.assertEqual(cookie.get('http_only'), False)
+
+        cookie_list = response._cookie_list()
+        self.assertEqual(len(cookie_list), 1)
+        self.assertEqual(cookie_list[0], 'Set-Cookie: foo="bar"')
+
     def test_expireCookie1160(self):
         # Verify that the cookie is expired even if an expires kw arg is passed
         # http://zope.org/Collectors/Zope/1160