Ticket Navigation

Ticket #8895 (closed enhancement: fixed)

Opened 1 year ago

Last modified 10 months ago

[PATCH] Ability to set HttpOnly cookies

Reported by:	Spakman	Assigned to:	core
Priority:	normal	Milestone:	1.x
Component:	ActionPack	Version:	edge
Severity:	normal	Keywords:	cookie httponly verified
Cc:

Description

The HttpOnly cookie flag (1) tells a browser that the cookie should not be accessible via scripting. This can help to mitigate *some* XSS risk.

AFAIK, only IE6+ supports this just now, although I believe it is planned for Firefox 3.0 (2) and Opera 9.5 (3).

[1] - http://msdn2.microsoft.com/en-us/library/system.web.httpcookie.httponly.aspx

[2] - https://bugzilla.mozilla.org/show_bug.cgi?id=178993

[3] - http://www.avencius.nl/?q=node/566

The attached patch (with tests) adds this functionality to Rails.

Attachments

http_only_cookies.patch (3.7 kB) - added by Spakman on 07/06/07 13:08:59.: Patch to give ability to set HttpOnly cookies
http_cookies.patch (4.8 kB) - added by lifofifo on 07/07/07 00:08:44.: Refactored some relevant code to original patch
http_cookies.2.patch (4.8 kB) - added by Spakman on 07/24/07 10:11:00.: Fixed typo (and patch!)
http_cookies.3.patch (5.3 kB) - added by Spakman on 08/06/07 14:55:48.: Some tidying

Change History

07/06/07 13:08:59 changed by Spakman

attachment http_only_cookies.patch added.

Patch to give ability to set HttpOnly cookies

07/07/07 00:07:53 changed by lifofifo

summary changed from Ability to set HttpOnly cookies to [PATCH] Ability to set HttpOnly cookies.

07/07/07 00:08:44 changed by lifofifo

attachment http_cookies.patch added.

Refactored some relevant code to original patch

07/07/07 00:11:11 changed by lifofifo

07/20/07 18:48:20 changed by emerose

Firefox supports httpOnly as of 2.0.0.5 -- see the bugzilla bug above...

07/20/07 18:54:33 changed by bgreenlee

(follow-up: ↓ 6 ) 07/20/07 20:03:32 changed by manfred

I see a typo, "weather" instead of "whether".

(in reply to: ↑ 5 ) 07/23/07 10:01:40 changed by Spakman

Fixed typo.

07/23/07 10:13:25 changed by lifofifo

keywords changed from cookie httponly to cookie httponly verified.

(follow-up: ↓ 9 ) 07/23/07 10:56:12 changed by lifofifo

keywords changed from cookie httponly verified to cookie httponly.
status changed from new to closed.
resolution set to incomplete.

Patch doesn't apply clean to latest edge as seen at http://rails.corefun.org/tasks/16

Please submit patch against latest edge and reopen the ticket.

07/24/07 10:11:00 changed by Spakman

attachment http_cookies.2.patch added.

Fixed typo (and patch!)

(in reply to: ↑ 8 ) 07/24/07 10:18:55 changed by Spakman

status changed from closed to reopened.
resolution deleted.

Replying to lifofifo:

Patch doesn't apply clean to latest edge as seen at http://rails.corefun.org/tasks/16

I've no idea how I managed to screw up the last patch! This one works with the latest revision.

07/24/07 10:22:14 changed by lifofifo

Heh. I don't think you screwed up. It's just that edge gets updated all the time and you have to keep updating your patch to match the changes.

07/26/07 07:45:06 changed by emax

Applied patch successfully against the latest edge revision (7239).

Actionpack tests are all passing.

07/26/07 10:01:15 changed by kampers

keywords changed from cookie httponly to cookie httponly verified.

That's four verifications; applied cleanly with passing tests at http://rails.corefun.org/tasks/35. Re-setting verified tag.

(follow-ups: ↓ 14 ↓ 15 ) 08/05/07 01:17:18 changed by nzkoz

keywords changed from cookie httponly verified to cookie httponly.

What's the rationale for making http_only have to be a boolean? Seems like a bit of a smell.

def http_only=(val) 
  @http_only = val if val == true or val == false 
end

(in reply to: ↑ 13 ) 08/05/07 02:38:29 changed by bgreenlee

or why not just:

def http_only=(val) 
  @http_only = val == true
end

(in reply to: ↑ 13 ) 08/06/07 14:41:48 changed by Spakman

Replying to nzkoz: