Ticket #3304: django_httponly_patch.diff

File django_httponly_patch.diff, 5.4 KB (added by rodolfo, 7 years ago)
  • django/http/__init__.py

     
    11import os
    22import re
    3 from Cookie import SimpleCookie, CookieError
     3import Cookie
     4if Cookie.Morsel._reserved.has_key('httponly'):
     5    SimpleCookie = Cookie.SimpleCookie
     6    CookieError = Cookie.CookieError
     7else:
     8    class Morsel(Cookie.Morsel):
     9        def __setitem__(self, K, V):
     10            K = K.lower()
     11            if K == "httponly":
     12                if V:
     13                    self.__dict__.__setitem__(K, "")
     14            else:
     15                super(Morsel, self).__setitem__(K, V)
     16
     17        def OutputString(self, attrs=None):
     18            output = super(Morsel, self).OutputString(attrs)
     19            if "httponly" in self.__dict__:
     20                output += "; httpOnly"
     21            return output
     22
     23    class SimpleCookie(Cookie.SimpleCookie):
     24        def __set(self, key, real_value, coded_value):
     25            M = self.get(key, Morsel())
     26            M.set(key, real_value, coded_value)
     27            dict.__setitem__(self, key, M)
     28
     29        def __setitem__(self, key, value):
     30            rval, cval = self.value_encode(value)
     31            self.__set(key, rval, cval)
     32
    433from pprint import pformat
    534from urllib import urlencode
    635from urlparse import urljoin
     
    342371        return self._headers.get(header.lower(), (None, alternate))[1]
    343372
    344373    def set_cookie(self, key, value='', max_age=None, expires=None, path='/',
    345                    domain=None, secure=False):
     374                   domain=None, secure=False, httponly=None):
    346375        self.cookies[key] = value
    347376        if max_age is not None:
    348377            self.cookies[key]['max-age'] = max_age
     
    354383            self.cookies[key]['domain'] = domain
    355384        if secure:
    356385            self.cookies[key]['secure'] = True
     386        if httponly:
     387            self.cookies[key]['httponly'] = True
    357388
    358389    def delete_cookie(self, key, path='/', domain=None):
    359390        self.set_cookie(key, max_age=0, path=path, domain=domain,
  • django/conf/global_settings.py

     
    316316SESSION_COOKIE_PATH = '/'                               # The path of the session cookie.
    317317SESSION_SAVE_EVERY_REQUEST = False                      # Whether to save the session data on every request.
    318318SESSION_EXPIRE_AT_BROWSER_CLOSE = False                 # Whether a user's session cookie expires when the Web browser is closed.
     319SESSION_HTTP_ONLY = False                 # Whether to use the non-RFC standard httpOnly flag (IE, FF3+, others)
    319320SESSION_ENGINE = 'django.contrib.sessions.backends.db'  # The module to store session data
    320321SESSION_FILE_PATH = None                                # Directory to store session files if using the file session module. If None, the backend will use a sensible default.
    321322
  • django/contrib/sessions/middleware.py

     
    3838                        request.session.session_key, max_age=max_age,
    3939                        expires=expires, domain=settings.SESSION_COOKIE_DOMAIN,
    4040                        path=settings.SESSION_COOKIE_PATH,
    41                         secure=settings.SESSION_COOKIE_SECURE or None)
     41                        secure=settings.SESSION_COOKIE_SECURE or None,
     42                        httponly=settings.SESSION_HTTP_ONLY or None)
    4243        return response
  • docs/topics/http/sessions.txt

     
    484484Whether to expire the session when the user closes his or her browser. See
    485485"Browser-length sessions vs. persistent sessions" above.
    486486
     487SESSION_HTTP_ONLY
     488-----------------
     489
     490Default: ``False``
     491
     492Whether to use HTTPOnly flag on cookies. If this is set to ``True``, javascript will not to be able to access the cookie.
     493HTTPOnly is an additional flag included in a Set-Cookie HTTP response header. Using the HTTPOnly flag when generating a cookie helps mitigate the risk of client side script accessing the protected cookie (if the browser supports it).
     494
    487495SESSION_SAVE_EVERY_REQUEST
    488496--------------------------
    489497
  • docs/ref/settings.txt

     
    941941Whether to expire the session when the user closes his or her browser.
    942942See the :ref:`topics-http-sessions`.
    943943
     944.. setting:: SESSION_HTTP_ONLY
     945
     946SESSION_HTTP_ONLY
     947-----------------
     948
     949Default: ``False``
     950
     951Whether to use HTTPOnly flag on cookies. If this is set to ``True``, javascript will not to be able to access the cookie.
     952HTTPOnly is an additional flag included in a Set-Cookie HTTP response header. Using the HTTPOnly flag when generating a cookie helps mitigate the risk of client side script accessing the protected cookie (if the browser supports it).
     953
     954See the :ref:`topics-http-sessions`.
     955See http://www.owasp.org/index.php/HTTPOnly
     956
    944957.. setting:: SESSION_FILE_PATH
    945958
    946959SESSION_FILE_PATH
Back to Top