Message234132
| Author |
jdufresne |
| Recipients |
jdufresne |
| Date |
2015年01月16日.14:25:00 |
| SpamBayes Score |
-1.0 |
| Marked as misclassified |
Yes |
| Message-id |
<1421418300.49.0.235293790837.issue23250@psf.upfronthosting.co.za> |
| In-reply-to |
| Content |
See http://tools.ietf.org/html/rfc6265#section-5.2.6
Relevant section:
---
5.2.6. The HttpOnly Attribute
If the attribute-name case-insensitively matches the string HttpOnly", the user agent MUST append an attribute to the cookie-attribute-list with an attribute-name of HttpOnly and an empty attribute-value.
...
If the cookie-attribute-list contains an attribute with an attribute-name of "HttpOnly", set the cookie's http-only-flag to true. Otherwise, set the cookie's http-only-flag to false.
---
http.cookies creates this attribute as `httponly` not `HttpOnly`.
It is true, when interpreted by the user agent, this attribute is case insensitive, but it seems odd that Python would go out of its way to purposely use a different case then stated in the standard. When looking at other web technologies, the case used in the standard is most typical. The examples in the standard also use the `HttpOnly` style.
(Same applies to the Secure flag.) |
|
History
|
|---|
| Date |
User |
Action |
Args |
| 2015年01月16日 14:25:00 | jdufresne | set | recipients:
+ jdufresne |
| 2015年01月16日 14:25:00 | jdufresne | set | messageid: <1421418300.49.0.235293790837.issue23250@psf.upfronthosting.co.za> |
| 2015年01月16日 14:25:00 | jdufresne | link | issue23250 messages |
| 2015年01月16日 14:25:00 | jdufresne | create |
|