httpd-apreq-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joe Schaefer <joe_schae...@yahoo.com>
Subject Re: HttpOnly + [VOTE] T&R libapreq-2.13
Date Sat, 13 Nov 2010 06:11:29 GMT
----- Original Message ----

> From: Adam Prime <adam.prime@utoronto.ca>
> To: apreq-dev@httpd.apache.org
> Sent: Fri, November 12, 2010 11:07:42 PM
> Subject: Re: HttpOnly + [VOTE] T&R libapreq-2.13
> 
> On 12/11/10 05:28 PM, Adam Prime wrote:
> >> All looks good.   Waiting for someone with more legal knowledge than I to
> >> confirm that  we can re-use the patch, and I'll commit to trunk.
> >>
> >> We  may also want to do a release.  With the small amount of  development,
> >> it could be years until this sees the light of day if  we wait to package
> >> more stuff into it :)  2.12 was released  March, 2009, so I'd like to
> >> call a vote to T&R  2.13.
> >>
> >> [  ] Release 2.13 with the new HttpOnly  cookie feature (once committed)
> >> [  ] Don't release 2.13  yet
> >>
> > 
> > I have tests for the perl interface at home. I  can send that patch later
> > this evening.  I don't have a vote, but  i'd vote for getting it out ;)
> 
> The perl test is attached.  One thing  that should be noted about both
> these tests is that they only test HttpOnly  on the outgoing Set-Cookie:
> header.  From what i read, HttpOnly  shouldn't exist on Cookie: headers
> coming from the client, and the patch from  debian does not add support
> for parsing them out of Cookie: headers.  I  think known though, but i
> just wanted to make sure it was pointed out  explicitly.

I don't think the HttpOnly flag comes back to the server via the Cookie
header, so that's ok.  The patch does include support for an $HttpOnly
attribute for RFC-style cookies, but that's not called for in the documentation
on HttpOnly.  We could omit that portion of the patch without loss.


      

Mime
View raw message